Restrictions on Paying a Ransom Demand - Dear Mary – Incidents + Investigations Cybersecurity Advice Column

Karla Ballesteros, Kaitlin Clemens, Samuel Fishel, Robyn Lin, Sadia Mirza, Stephen Piepgrass, Ronald Raether, Jr., John Sample, Whitney Shephard, Casselle Smith, Ashley Taylor Jr., Edgar Vargas, Daniel Waltz
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

“Dear Mary” is Troutman Pepper’s Incidents + Investigations team’s advice column. Here, you will find Mary’s answers to questions about anything and everything cyber-related — data breaches, forensic investigations, how to respond to regulators, and much more. “Dear Mary” goes beyond our articles, podcasts, webinars, and other content we produce because here, we respond directly to your questions with concise, practical answers. We promise they will be interesting, informative, and hopefully a little fun.

Drop us a line with any cyber-related question you would like answered — whatever may keep you up at night — and we’ll do our very best to provide a practical, actionable answer. Of course, our answers will be somewhat general in nature and should not be considered legal advice — always consult with an attorney (preferably one of ours!) before acting on anything you read here.

Thank you for reading!

Dear Mary,

Which states now have statutory laws prohibiting payment of ransom following a data security breach? Are there others working on such legislation, to your knowledge?

– Dick Clarke (But Not the New Year’s Eve Guy)


July 31, 2024

Dearest Dick,

While the phrases “ransomware” and “good news” rarely find themselves in harmonious company, private businesses may find solace in the knowledge that, generally, U.S. law does not restrict private entities from paying a ransom in the unfortunate event of a ransomware attack. Alas, the same cannot be said for our public sector counterparts. Legislation in states such as North Carolina, Florida, and Tennessee imposes restrictions on public sector entities from paying a ransom, with North Carolina even forbidding any communication with the threat actor altogether. Last I heard, other states such as Arizona, New York, Pennsylvania, Illinois, Iowa, Massachusetts, and Texas have been contemplating similar and possibly even more expansive laws. Additionally, laws have been introduced at the federal level that could potentially restrict ransom payments for certain types of entities, such as financial institutions, so that is most certainly something to look out for.

For private entities, although paying the ransom is not currently prohibited, there are steps that should be taken prior to making such a payment. These include notifying law enforcement and conducting a sanctions check, among others. If these steps are satisfactorily completed, the entity may be at liberty to proceed with the payment. Additionally, the entity should consider whether any regulatory authorities, such as CISA, need to be notified once payment is made.

Yours sincerely,

Text Dear Mary in a black script font

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide