North Carolina Becomes First United States State to Prohibit Ransom Payments

On April 5, 2022, North Carolina enacted N.C.G.S. § 143-800(a), which governs ransomware payments, as part of the budget appropriations law enacted November 18, 2021.

Under the terms of law, state agencies and local government entities in North Carolina are prohibited from issuing payments or communicating with an entity that has conducted or “engaged in” a cybersecurity incident or attack on another’s information technology system and is subsequently leveraging its ability to undo that threat or attack by decrypting the organization’s data in exchange for a ransom payment.  

Under this law, “local government” entities include “a city, a county, a local school administrative unit, . . . or a community college.” State agencies are defined as “[a]ny agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of State government. The term includes The University of North Carolina and any other entity for which the State has oversight responsibility.”

Additionally, the State agencies and local government entities who receive a ransom request connected to a cybersecurity incident are required to consult with the North Carolina Department of Information Technology.

This law is the first United States state-led legislative effort to prohibit this type of payment and communications. Senate Bill 726 was approved by the Pennsylvania Senate in January 2022, which would prohibit the use of Pennsylvania “taxpayer money or public money to pay an extortion attempt involving ransomware”—barring a declaration of emergency or authorization of payment issued by the Pennsylvania governor.

Additionally, the New York Senate is currently considering legislation, Senate Bill S6806A, that would prohibit the issuance of ransomware payments from both public agencies and private business entities connected with a cyber incident or ransomware attack.  

Reportedly, legislators in North Carolina and Pennsylvania have suggested that these prohibitions may discourage cyber attacks, since threat actors would have no legal avenue to receive financial incentives. However, the legislators also indicated that there could be a disadvantage to public agencies who have yet to create a back-up version of their information systems and incur a cyber incident, as they would not be able to recover the information, absent a illegally issued ransomware payment, and would be forced to rebuild.