Scott Ikeda reports:
The issue of banning ransomware payments has been contentious and hotly debated in governments throughout the world in the last few years, particularly as the problem seemed to grow out of control during the Covid-19 pandemic. In the US, the federal government has come down on the side of allowing payments but adding increasingly stringent incident reporting requirements to get law enforcement involved as fast as possible.
As with the issue of data privacy regulations, some states have decided to take their own approach. Pennsylvania was the first in January of this year, with the state Senate passing a ban that prohibits agencies or organizations that receive taxpayer funds from making ransomware payments (the bill remains before the state House awaiting a vote). North Carolina added a comprehensive ban on local and state agency ransomware payments in May, followed by a similar measure in Florida in July. New York, Texas, Arizona and New Jersey have also had bills of this nature recently come up for consideration.
Read more at CPO Magazine.
So if a business does business in multiple states, and some states disallow ransom payments, but other states allow it, what does the business do? And will patients in one state go up in arms because their providers cannot protect their data by paying ransom while patients in other states have their providers try to pay off attackers not to leak data? No, I am not arguing for a uniform federal law on this that might pre-empt stronger state protections. I am just pointing out what a mess this has the potentially to rapidly become.