May 25, 2022

Volume XII, Number 145

Advertisement
Advertisement

May 24, 2022

Subscribe to Latest Legal News and Analysis

May 23, 2022

Subscribe to Latest Legal News and Analysis

North Carolina Becomes First State to Prohibit Public Entities from Paying Ransoms

On April 5, 2022, North Carolina became the first state in the U.S. to prohibit state agencies and local government entities from paying a ransom following a ransomware attack.

North Carolina’s new law, which was passed as part of the state’s 2021-2022 budget appropriations, prohibits government entities from paying a ransom to an attacker who has encrypted their IT systems and subsequently offers to decrypt that data in exchange for payment. The law prohibits government entities from even communicating with the attacker, instead directing them to report the ransomware attack to the North Carolina Department of Information Technology in accordance with G.S. 143B‑1379.

The law applies to any “agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of State government” as well as to the University of North Carolina and “any other entity for which the State has oversight responsibility.” Private sector entities are encouraged, but not required, to report cybersecurity incidents to the Department of Information Technology.

Passage of this first-of-its-kind law follows a sharp increase in ransomware attacks against state and local governments. On April 8, 2022, North Carolina A&T University was hit with a ransomware attack that disrupted the school’s wireless connections and shut down a number of its online educational tools.

Following North Carolina’s lead, Pennsylvania’s Senate recently approved a bill that would ban the use of taxpayer funds to pay ransoms following cyberattacks, except in cases where the governor has authorized the payment. New York also is pursuing legislation banning ransomware payments by both public agencies and private companies.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 122
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement