Florida has become the second state in the US to forbid its government agencies to make ransomware payments, following similar rules passed in North Carolina in May. This adds to the “patchwork” of state-level data handling and privacy regulations that has been growing as the federal government continues to debate a national law, and at least five additional states are considering their own rules for ransomware payments at this point.
Along with Florida and North Carolina, most of the states considering banning ransomware payments are limiting their focus to state and local government agencies. But legislation under consideration in New York would make it the first state to ban private companies and organizations from making payments as well, should the proposed bill pass in its current form.
States test out ransomware payment bans as deterrent
The Florida and North Carolina bills are similar in that they forbid state and local governments from making ransomware payments, but the Florida regulations are stronger. North Carolina has its agencies report the incident to the central Department of Information Technology within 24 hours, while in Florida victims will have just 12 hours from incident discovery to report in to multiple agencies.
The two states are essentially becoming test subjects, as there is not a great body of evidence to support the idea of banning ransomware payments in one direction or the other. Governments around the world have been reluctant to test the idea given that many organizations have no realistic response other than to pay the demand and hope for the best, with the bill for remediation and repair likely tens of millions of dollars higher than simply making the payment.
The argument relies on criminals abandoning the pursuit of targets that have been banned from issuing payments, but this theory could go in the other direction; attackers could instead hammer targets in these regions in the hopes of generating political pressure to reverse the decision. Payment bans could also shift to more destructive attack types that cause real-world damage in a bid to turn up the heat. Given the size of the ransomware industry and the money at stake for criminals, the one certainty is that they won’t simply give up immediately and find honest work.
States setting different terms for ransomware payment bans, potentially creating confusion
In addition to the difference in reporting times and standards, some small differences in the state ransomware payments bans demonstrate the level of confusion that private businesses operating at a national level might face if laws such as the proposed New York bill take hold.
For example, Florida puts extra requirements on “severe” and “emergency-level” incidents. However, the working definitions for these incidents include impacts to potentially anyone in the United States living outside of Florida. North Carolina does not have similar requirements. This creates at least a theoretical possibility that an incident in North Carolina could cause a company operating in both states to have to respond in Florida but not in North Carolina.
If private businesses are looped into these requirements, as New York is currently considering, there is also the question of whether the proposed penalties will serve as actual deterrents to larger companies. New York is only seeking a maximum penalty of $10,000 per incident, a trivial addition to ransomware demands (and clean-up costs) that are now often in the millions of dollars.