February 3, 2023

Volume XIII, Number 34

Advertisement

February 02, 2023

Subscribe to Latest Legal News and Analysis

February 01, 2023

Subscribe to Latest Legal News and Analysis

January 31, 2023

Subscribe to Latest Legal News and Analysis
Advertisement

Not in My Backyard: NC Becomes First State to Prohibit Public Entities from Paying Ransoms

As part of the budget appropriations law enacted on November 18, 2021,[1] North Carolina became the first state in the nation to prohibit state agencies and local government entities from paying a ransom following a ransomware attack.[2] The new law also prohibits public entities from communicating with a malicious actor following a ransomware attack. Instead, such entities must consult with the North Carolina Department of Information Technology (the “Department”) when they experience such an attack.[3] Passage of this law follows a sharp increase in ransomware attacks against state and local governments since 2019.

The new law applies to all local government entities, including cities, counties, local school administrative units, and community colleges. All state agencies—including boards, commissions, bureaus, officials, and other entities of the executive, legislative, and judicial branches, as well as The University of North Carolina—also are subject to the payment and communication prohibitions.[4] 

Local government entities are required to report cybersecurity incidents to the Department, while private sector entities are encouraged, but not required, to make such reports.[5] Information shared with the Department—including security features of a public entity’s electronic data processing systems, information technology systems, telecommunications networks, or electronic security systems, including hardware or software security, passwords, or security standards, procedures, processes, configurations, software, and codes—is not subject to public disclosure as a public record.[6]

A similar bill approved by the Pennsylvania Senate in January 2022 would ban the use of taxpayer funds to pay ransoms following cyberattacks, except where the governor has made a declaration of a disaster emergency and authorized the payment.[7] New York also is pursing legislation banning ransomware payments by both public agencies and private companies.[8] 

Lawmakers in North Carolina and Pennsylvania have suggested that if hackers know that a state or local agency is prohibited by law from paying a ransom, the hackers will have no financial incentive to attack such agencies and accordingly will look for victims in other states. However, categorically prohibiting ransom payments may disadvantage public agencies that have not created back-up copies of their information systems, as they will be unable to restore or rebuild their systems. State and local agencies in these states and elsewhere should make efforts to assure that they have reliable back-up systems, appropriate safeguards for their information technology systems, and adequate cyber insurance coverage.

FOOTNOTES

[1] Current Operations Appropriations Act of 2021, S.L. 2021-180.

[2] N.C.G.S. § 143-800(a).

[3] N.C.G.S. § 143-800(b).

[4] N.C.G.S. § 143-800(c).

[5] N.C.G.S. § 143B-1379(c).

[6] N.C.G.S. § 132-6.1(c).

[7] Pennsylvania SB 726 (2021), available at btCheck.cfm (state.pa.us).

[8] See 2021-2022 NY Senate Bill S6806A § 401(2), available at NY State Senate Bill S6806A (nysenate.gov)

Copyright ©2023 Nelson Mullins Riley & Scarborough LLPNational Law Review, Volume XII, Number 95
Advertisement
Advertisement
Advertisement

About this Author

Patricia A. Markus Partner Nelson Mullins
Partner

Trish represents healthcare providers and related organizations across the country on an array of healthcare regulatory compliance, reimbursement, licensure, and operational matters, with a special focus on issues surrounding health information privacy, security, and technology. Trish provides strategic and practical advice regarding HIPAA and other data privacy and security laws, information blocking and interoperability requirements, telehealth and health information exchange initiatives, technology licensing and services arrangements, cybersecurity risks and data...

919-329-3853
Advertisement
Advertisement
Advertisement