North Carolina bans state entities from negotiating with hackers - and other states may follow
This article is part of an on-going series providing insight and updates on the latest state data privacy legislation.
As the cyber threat landscape evolves, North Carolina has paved the way as the first U.S. state to outlaw ransom negotiations. The law prohibits state agencies and local government entities that have been the victim of a ransomware attack from paying or even communicating with the threat actor.
North Carolina outlaws ransomware negotiations
Specifically, the law provides that upon “experiencing a ransom request in connection with a cybersecurity incident,” the state agency or local government entity must instead “consult with the Department of Information Technology.” N.C. Gen. Stat. Ann. § 143-800(b).
On November 18, 2021, North Carolina’s General Assembly enacted the law as part of its budget appropriations for current operations of public entities. The law broadly applies to local political subdivisions of the state and any “agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of State government” as well as the University of North Carolina “and any other entity for which the State has oversight responsibility." Id. at § 143-800(c). This new reporting obligation overlaps and heightens North Carolina’s general mandate that such entities are required to report confirmed cybersecurity incidents, of any kind, to the Department of Information Technology within 24 hours. See N.C. Gen. Stat. Ann. § 143B-1379. North Carolina encourages, but does not require, private sector entities to also report cyber incidents to the Department of Information Technology. See id.
Other states consider similar ransomware negotiation mandates
More laws of this kind may be on the horizon as Pennsylvania and New York are considering similar mandates. Pennsylvania’s proposed legislation would impose a tight time frame for agencies to report the ransomware attack to the appropriate state officials within two hours and it would ban the use of taxpayer money for ransomware payments, with the exception of certain circumstances where payment is authorized by the governor. New York’s legislation, if enacted, would prohibit ransomware payments by not only public agencies, but also private companies.
Ransomware attacks and cost of a data breach increasing
Why are we seeing this trend? Ransomware attacks are rampant and the average total cost of a data breach is increasing annually. In 2021, according to a study conducted by the Ponemon Institute, the average total cost of a ransomware breach totaled $4.62 million—excluding the cost of any ransom demand or payment—and including costs involved in remediation efforts, notification, interruption to business operations and revenue loss. While paying or not paying a ransom is only one of many potential financial harms involved in ransomware attacks, the result of taking ransom negotiations off the table sends a message to threat actors and a provides a clear directive for victims of cyberattacks who no longer have the option to pay the ransom for relief.
Now, more than ever, organizations need to get proactive: prepare for the worst and be ready to fight back. This means investing in good back ups and working with cybersecurity professionals to evaluate and enhance security controls, educate employees, and practice incident response.