One year ago this week, we posted a blog explaining that the New York Department of Financial Services (NYDFS) issued a framework of seven best practices that insurers should adopt, including a recommendation that insurers stop paying ransom payments in response to ransomware. Now, North Carolina has enacted a statute that not only forbids its public entities from paying ransoms, but also prohibits public entities from communicating with ransomware threat actors. Instead, North Carolina public entities, including public schools and universities, are required to consult with the North Carolina Department of Information Technology (NCDIT).
This law, part of the budget appropriations statute enacted on November 18, 2021, and effective as of last month, applies to all local government entities, including cities, counties, local school administrative units, and community colleges. All North Carolina agencies, including boards, bureaus, officials, commissions, and other entities of the executive, legislative, and judicial branches (not to mention The University of North Carolina), are all subject to both payment and communication prohibitions.
The rationale for the law, per North Carolina’s legislative history, is that intruders will be dis-incentivized from attacking public entity information resources if they know public entities are prohibited from even negotiating payment. Although this rationale may be sound, public entities should be diligent in confirming that reliable backup systems, as well as appropriate administrative, technical, and physical safeguards are in place to thwart and mitigate security incidents. These responsibilities still belong exclusively to each public entity.
Only North Carolina public entities are governed by the payment and communication prohibitions. Although North Carolina public entities are required to report cybersecurity incidents to the NCDIT, private sector entities are only encouraged to do so. Information shared with the NCDIT, whether by public or private entities, relating to security standards, data processing systems, and information technology systems, is not subject to public disclosure as a public record.
North Carolina may very well be a harbinger of things to come. In Pennsylvania, a similar bill was passed by the state senate in January 2022, which would ban the use of taxpayer funds to pay ransoms absent certain attenuated conditions. Likewise, New York has a similar bill, currently in committee, which would ban ransomware payments by both public agencies AND private companies.
For businesses that agonize over whether to pay the ransom or not, we recommend identifying data governance practices that can eliminate the need to rely upon bad actors to restore data. Establishing enterprise-wide data backup plans and encrypting sensitive data (both at rest and in transit) are a great start. Slowing down prior to any incident to understand the benefits, risks, and impact of incident response preparedness can save time, money, and stress down the line.
Stay tuned to our Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application for more updates and information on these state law developments, and all things privacy and security.