On April 5, 2022, North Carolina became the first state in the U.S. to prohibit state agencies and local government entities from paying a ransom following a ransomware attack.
North Carolina’s new law, which was passed as part of the state’s 2021-2022 budget appropriations, prohibits government entities from paying a ransom to an attacker who has encrypted their IT systems and subsequently offers to decrypt that data in exchange for payment. The law prohibits government entities from even communicating with the attacker, instead directing them to report the ransomware attack to the North Carolina Department of Information Technology in accordance with G.S. 143B‑1379.
The law applies to any “agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of State government” as well as to the University of North Carolina and “any other entity for which the State has oversight responsibility.” Private sector entities are encouraged, but not required, to report cybersecurity incidents to the Department of Information Technology.
Passage of this first-of-its-kind law follows a sharp increase in ransomware attacks against state and local governments. On April 8, 2022, North Carolina A&T University was hit with a ransomware attack that disrupted the school’s wireless connections and shut down a number of its online educational tools.
Following North Carolina’s lead, Pennsylvania’s Senate recently approved a bill that would ban the use of taxpayer funds to pay ransoms following cyberattacks, except in cases where the governor has authorized the payment. New York also is pursuing legislation banning ransomware payments by both public agencies and private companies.