Late last year, North Carolina became the first U.S. jurisdiction to prohibit state agencies and local government entities from making a ransom payment or communicating with a threat actor following a ransomware attack.[1] Florida has now followed suit, making it the second state to restrict how public entities can respond to ransomware events.
Below is an overview of both laws and a discussion of what they mean for public entities in both states.
NORTH CAROLINA: N.C.G.S. § 143-800
Who is covered by the statute?
The law applies to all local government entities, such as cities and counties, all state agencies and all departments of executive, legislative and judicial branches of government. The new law covers local school administrative units, community colleges and public entities like The University of North Carolina.[2]
What activities does the statute prohibit?
Under the law, covered entities are prohibited from submitting payment to a threat actor following a ransomware attack, which would include paying any ransom demand or purchasing a decryption key to decrypt data encrypted through the attack.[3] The law also prohibits any communication with threat actors.[4]
What affirmative steps does the statute require?
This new law requires entities to report any significant cybersecurity incident to the North Carolina Department of Information Technology within 24 hours of the incident.[5]
FLORIDA: THE STATE CYBERSECURITY ACT (§ 282.318 Fla. Stat.)
Who is covered by the statute?
The law applies to any “state agency.”[6] Florida law defines “state agency” to include any department of the executive branch of government, the Justice Administrative Commission and the Public Service Commission.[7] The definition specifically excludes university boards of trustees and state universities.[8] The State Cybersecurity Act also broadens the traditional definition of state agency to include the Florida Department of Legal Affairs, the Florida Department of Agriculture and Consumer Services, and the Florida Department of Financial Services.[9]
What activities does the statute prohibit?
Florida law now states that any state agency, county, or municipality “may not pay or otherwise comply with a ransom demand.”[10] Unlike North Carolina’s law, there does not appear to be any prohibition on communicating with a ransomware threat actor.
What affirmative steps does the statute require?
The law requires state agencies to report ransomware incidents and other significant cybersecurity incidents to the Florida Cybersecurity Operations Center and the Cybercrime Office of the Florida Department of Law Enforcement. Such incidents must be reported “as soon as possible,” but not later than: (1) 12 hours after the discovery of a ransomware incident or (2) 48 hours after the discovery of any other covered incident.[11]
The report regarding each covered incident must include the following information[12]:
- A factual summary of the ransomware or other cybersecurity incident;
- The date on which the state agency most recently backed up its data; the physical location of the backup, if the backup was affected; and if the backup was cloud-based;
- The types of data compromised by the incident;
- The estimated fiscal impact of the incident; and
- For ransomware incidents, the details of the ransom being demanded.
TAKEAWAYS
Proponents of the law argue that if public entities are prohibited from paying ransoms, the threat actors will no longer direct their attacks at state agencies, schools and other public entities covered by such laws. Prohibiting ransom payments also ensures that state funds are not directed into the hands of criminal actors.
Critics of an outright ban on the ransom demand payment in the wake of a ransomware attack question whether this lack of financial incentive will deter threat actors and whether threat actors will even become aware of such laws before mounting an attack. Additionally, a ban on making ransomware payments could discourage state agencies and other covered entities from purchasing cyber liability insurance, which can help transfer risk and improve an organization’s overall cyber preparedness.
Even where an entity decides not to make a ransom payment (or never intended to in the first place), communications with a threat actor following a cyberattack can be critical. Such communications can help an entity to understand the scope of the incident, gain knowledge about the nature of the threat, and buy time for the entity to strengthen its network security and protect against repeat attacks from the same adversary. Therefore, North Carolina’s prohibition on communicating with a threat actor could prove difficult for covered entities in the wake of a ransomware attack.
What is certain is that covered entities in North Carolina and Florida will need to be proactive against potential cyberattacks, which has become increasingly difficult given the limited resources in the public sector and the increase in attacks against these entities. The best defenses against a cyberattack include a layered defense using strong network security to ward off potential attacks and reliable, real-time backups of critical systems and data. These proactive measures can help to avoid an attack in the first place or allow an entity to recover data affected by the attack without engaging with the threat actor.
The Incident Response Team at Connell Foley offers a 24/7 hotline that serves as breach response counsel across various industries. Our response team will continue to monitor developments related to these new laws and the potential for other states to adopt the same policy in the future.
[1] Current Operations Appropriations Act of 2021, S.L. 2021-180.
[2] N.C.G.S. § 143-800(c).
[3] N.C.G.S. § 143-800(a).
[4] Id.
[5] N.C.G.S. § 143-800(b), N.C.G.S. § 143B-1379.
[6] § 282.318(2) Fla. Stat.
[7] § 282.0041(34) Fla. Stat.
[8] Id.
[9] § 282.318(2) Fla. Stat.
[10] § 282.3186 Fla. Stat.
[11] § 282.318(3)(c) 9.c.(1) Fla. Stat.
[12] § 282.318(3)(c) 9.b. Fla. Stat.
- Partner
Karen Painter Randall, formerly Certified by the Supreme Court of New Jersey as a Civil Trial Attorney and a partner at Connell Foley LLP, where she chairs the Cybersecurity, Data Privacy, and Incident Response Group. With extensive ...