Ransomware: To Pay or Not to Pay? It Just Got More Complicated
When an organization experiences a ransomware attack, it must address significant—and sometimes competing—challenges under pressing deadlines. These challenges include the following: evicting the threat actor from the network environment; restoring affected systems; recovering encrypted data, where viable backups exist; conducting a forensic investigation to determine the intrusion vector and scope of compromise; and communicating with an array of stakeholders (such as customers, vendors, insurers, employees, law enforcement, regulators and the media).
Organizations also must evaluate notice obligations amid a patchwork of laws and regulations, as well as under the contracts they hold. There are sector-specific reporting requirements for regulated industries. Every US state has its own data breach notification law. And public companies must take “all required actions” to inform investors about material cybersecurity risks and incidents.
When it comes to making a ransom payment, the primary legal hurdle to clear has been the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions regime. That hurdle is now getting higher. A burgeoning body of state law is restricting how organizations—specifically, public sector entities—can respond to ransomware incidents and pay demands.
On July 1, 2022, Florida joined North Carolina to become the second US state to prohibit state and local government agencies from complying with or paying ransomware demands. Florida’s law also imposes hair-trigger notification requirements on those agencies. While at first blush the impact of the Florida and North Carolina laws appears limited to ransomware attacks on state and local government entities, these new laws create a number of novel questions with potentially broader application.
Florida and North Carolina may not be the end of the line in this area of law. There also are ransomware-related bills currently pending in Arizona, New York, Pennsylvania and Texas, as well as federal bills introduced in Congress. These statehouse developments could soon result in a balkanized compliance framework akin to data breach notification laws.
This article provides an overview of the new ransomware laws and previews some of the pending state and federal legislation. The article also explores implications the ransomware prohibitions may have beyond the public sector agencies to which they facially apply. At bottom, responding to ransomware attacks has always been a high-stakes, complex undertaking, and with these new laws, it has now gotten even more challenging for organizational victims.
WHAT FLORIDA’S NEW LAW REQUIRES
Florida CS/HB 7055 amends the State Cybersecurity Act to impose new cybersecurity requirements on Florida state, county and local government agencies, including forthcoming guidelines and processes for cataloging and managing IT systems, conducting risk assessments, cybersecurity standards, data recovery, incident response, cybersecurity training and reporting cybersecurity and ransomware incidents.
With respect to a ransomware incident, which is defined broadly under the Act:
State and local government agencies are prohibited from paying “or otherwise comply[ing]” with a ransom demand;
State and local government agencies must notify the Florida Cybersecurity Operations Center, Cybercrime Office of the Department of Law Enforcement and for local government agencies, the sheriff who has jurisdiction over the agency, within 12 hours of discovery, and such notice must contain specific details about the incident and its impact;
The Cybersecurity Operations Center must notify the President of the Florida Senate and Speaker of the Florida House of Representatives regarding high, severe and emergency-level cybersecurity incidents, which are defined in the Act, within 12 hours of receiving a report; and
Local government agencies must submit an after-action report to the Florida Digital Service within one week of remediation summarizing the incident, its resolution and “any insights gained as a result of the incident.”
The Act also requires guidelines, processes and standards be issued and adopted over the next two years, including the following:
Cybersecurity standards for local government agencies, which are “consistent with generally accepted best practices for cybersecurity,” including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (between January 1, 2024 and January 1, 2025, depending on the jurisdiction’s size); and
Guidelines and processes for the after-action reports required of local government agencies (by December 1, 2022).
These forthcoming materials are sure to create additional obligations on Florida state and local government agencies, as well as have cascading effects on other entities.
OTHER LEGISLATION GOVERNING RANSOMWARE RESPONSE
Florida’s law follows on the heels of North Carolina, the first state to enact a law prohibiting state agencies and local government entities from negotiating with ransomware actors or paying a ransomware demand. North Carolina’s notification provision is not as stringent as the Florida law, as it simply requires an agency or entity to “consult” the North Carolina Department of Information Technology when there is a ransomware incident.
Similar and more expansive statutes are being considered across the US, including Arizona, New York, Pennsylvania and Texas.
Notably, New York SB 6806 would prohibit not only government entities but any business operating in New York from paying a ransom (or having a ransom paid on its behalf) with civil penalties for violations of up to $10,000.
Pennsylvania SB 726 would prohibit the use of taxpayer or other public money for ransomware payments and would require IT-managed service providers of state agencies to notify an “appropriate official” of a ransomware incident within one hour of discovering the incident.
Arizona HB 2145 would prohibit any state or local government agency from making a payment “to remove or decrypt ransomware from the system files,” as well as require the affected agency to “immediately notify” the Arizona Department of Homeland Security of such attacks.
Texas HB 3892 contains a similar payment prohibition as Arizona but has a more forgiving notification requirement (“as soon as practicable after discovering”).
At the federal level, there have been a number of bills introduced in this Congress. The proposed Ransomware and Financial Stability Act would prohibit US financial institutions from making a ransom payment greater than $100,000 unless given explicit authorization by a federal law enforcement agency. And the proposed Ransom Disclosure Act would require public and private entities to report any ransom payments within 48 hours to the US Department of Homeland Security (DHS) through a DHS-created portal.
TAKEAWAYS FROM THE NEW LAWS
For public sector victims in Florida and North Carolina, the options for responding to ransomware incidents just became much more limited. Recognizing the public policy rationale against negotiating with and paying criminal actors, as a practical matter, the new laws place government agencies in a very difficult position where critical data is encrypted, backups are not accessible, and payment is the only viable path to restoration and recovery. Yes, over the long term, enhanced cybersecurity will reduce the likelihood of such a predicament, but it will not resolve near-term needs. More broadly, where a ransomware incident affects data belonging to multiple states’ data being held by a single entity, will the new laws restrict the ability to negotiate and/or pay a demand? The forthcoming Florida guidelines, processes and standards likely will create additional compliance questions for government agencies, as well as the entities that access data and systems belonging to those agencies. And if New York’s pending bill is any indication, the reaches of this new wave of legislation may extend far beyond organizations with access to government data. Thus, businesses would be wise to monitor developments in these states and others that take up ransomware-related legislation and seek legal advice as questions inevitably arise.
John Ying, a Summer Associate in the Atlanta office, also contributed to this article.
 For example, federally regulated banking organizations must notify their primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” within 36 hours after the banking organization determines that an incident has occurred. In addition, federally regulated bank service providers must notify each affected bank organizations of such an incident “as soon as possible” after determining it has experienced such an incident. See The Office of the Comptroller of the Currency (OCC), Treasury, the Board of Governors of the Federal Reserve System (Board) and the Federal Deposit Insurance Corporation (FDIC), Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, available at https://www.ots.treas.gov/news-issuances/news-releases/2021/2021-119a.pdf. Covered freight railroads, passenger rail and rail transit systems must report a “cybersecurity incident” to the US Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CIS) within 24 hours of identifying a covered incident. See https://www.tsa.gov/news/press/releases/2021/12/02/dhs-announces-new-cybersecurity-requirements-surface-transportation.
 Securities and Exchange Commission Statement and Guidance on Public Company Cybersecurity Disclosures, available at https://www.sec.gov/rules/interp/2018/33-10459.pdf.
 OFAC’s Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Sep. 21, 2021), available at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf; OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Oct. 1, 2020), available at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf.
 AZ HB 2145; NY SB 6806; PA SB 726; TX HB 3892.
 HR 5936; S 2943, HR 5501.
 Available at https://www.flsenate.gov/Session/Bill/2022/7055/BillText/er/PDF.
 “Ransomware incident” is defined as “a malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to or encrypts, modifies, or otherwise renders unavailable a state agency’s, county’s, or municipality’s data and thereafter the person or entity demands a ransom to prevent the publication of the data, restore access to the data, or otherwise remediate the impact of the software.” Fla. Stat. § 282.0041(21).
 Fla. Stat. § 282.3186.
 High, severe and emergency-level “cybersecurity incidents” must be reported within 48 hours. Id. at §§ 282.318(3)(c)(9)(c)(I), 282.3185(5)(b)(1).
 The notice must include at a minimum: (1) a summary of the facts surrounding the incident; (2) the date on which the local government most recently backed up its data, the physical location of the backup, if the backup was affected, and if the backup was created using cloud computing; (3) the types of data compromised by the incident; (4) the estimated fiscal impact of the incident; (5) in the case of a ransomware incident, the details of the ransom demanded; and (6) a statement requesting or declining assistance from the Cybersecurity Operations Center, the Cybercrime Office of the Department of Law Enforcement, or the sheriff who has jurisdiction over the local government. Fla. Stat. § 282.3185(5)(a).
 A “high-level” incident is one “that is likely to result in a demonstrable impact in the affected jurisdiction to public health or safety; national, state, or local security; economic security; civil liberties; or public confidence.” Fla. Stat. § 282.318(3)(c)(9)(a)(III). A “severe-level” incident is one “that is likely to result in a significant impact in the affected jurisdiction to public health or safety; national, state, or local security; economic security; civil liberties; or public confidence.” Id. at § 282.318(3)(c)(9)(a)(II). An “emergency-level” incident is one “that poses an imminent threat to the provision of wide-scale critical infrastructure services; national, state, or local government security; or the lives of the country’s, state’s, or local government’s residents.” Id. at § 282.318(3)(c)(9)(a)(I).
 Id. at §§ 282.318(3)(c)(9)(c)(II), 282.3185(5)(b)(2).
 Id. at §§ 282.318(3)(c)(14), 282.3185(6).
 Id. at § 282.3185(4).
 Id. at §§ 282.318(3)(c)(14), 282.3185(6).
 N.C.G.S. § 143-800(a), (b).