North Carolina Prohibits Ransom Payments by State and Local Government Agencies

June 24, 2022 North Carolina made national headlines recently as the first state to prohibit state agencies and local government entities from paying a ransom following an attack. But N.C. Gen. Stat. § 143-800 goes one step further, prohibiting those entities from even communicating with a threat actor following an attack.

By: Lewis Brisbois' Data Privacy & Cybersecurity Team

North Carolina made national headlines recently as the first state to prohibit state agencies and local government entities from paying a ransom following an attack. But N.C. Gen. Stat. § 143-800 goes one step further, prohibiting those entities from even communicating with a threat actor following an attack.

The law will apply to “agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of State government” as well as to the University of North Carolina and “any other entity for which the State has oversight responsibility.” As reported by the National Law Review, public entities affected by an attack will also be required to consult with the North Carolina Department of Information Technology (NCDIT), while private entities are only encouraged to report such attacks to the NCDIT. It is important to note that any information shared with the NCDIT will not be subject to public disclosure as a public record.

The rationale behind the law is that the lack of financial incentive will deter threat actors from attacking North Carolina government agencies or schools. Lawmakers further bolstered their decision by pointing out that the FBI does not support paying a ransom in response to an attack. Along with the FBI, North Carolina lawmakers have stated have stated that paying a ransom simply encourages threat actors to continue to launch these types of attacks due to the possibility of a large payout. Further, proponents of a ban believe it will force entities to take a more aggressive, proactive approach to cybersecurity.

On the other hand, opponents of a ban note that network intrusions and resulting ransomware attacks often happen despite the victim entity’s robust cybersecurity and can, for instance, sometimes result from software vulnerabilities not known to the entity at the time of the incident. It might also cause threat actors to focus their attention on entities that are not subject to the ban or those who simply cannot afford a significant amount of downtime and are thus more likely to pay a ransom.

Other states proposing similar laws, like Pennsylvania, prohibit the use of taxpayer funds for ransom payments unless the governor authorizes the payment.

While it is not yet clear what type of impact this new legislation will have on future cyberattacks, increasing your organization’s cybersecurity and incident response preparedness is certainly beneficial, regardless of whether you are subject to this new legislation. For instance, implementing appropriate safeguards, ensuring you have reliable back-up systems adequately segmented from your network, and purchasing adequate cyber insurance are all ways in which an organization can protect itself. Further, as Lewis Brisbois Partner Jason Cherry mentioned in his recent post, going beyond internal testing and having a third-party perform a penetration test can be an invaluable tool.

For more information on this new law, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.