Blog
State Policymakers Tackling Cyber Issues Including Ransomware
In 2021, North Carolina became the first state to prohibit state agencies and local government entities from paying a ransom following a ransomware attack. This, first-of-its-kind, state law also prohibits public entities from communicating with a malicious actor following a ransomware attack. Instead, they will have to consult with the North Carolina Department of Information Technology when they experience such an attack.
On June 28, 2022, Florida Governor Ron DeSantis signed HB 7055. Effective, July 1, 2022, it requires all state agencies report cybersecurity and ransomware incidents, and that every state employee receives substantive training in cybersecurity.
New York, Pennsylvania, Arizona and Texas all have considered legislation that would prevent the paying of ransom in ransomware cases. Pennsylvania’s bill has now passed both houses. That bill aims to develop guidelines for agencies to follow in beefing up their preparedness to respond to ransomware attacks. The bill, however, does not appropriate any funds to help agencies bolster their ransomware response capabilities. Texas and Arizona’s bills would prohibit the use of state and local taxpayer money or other public money to pay a ransom payment. Neither of these bills failed in their first committee.
Several bills were introduced in New York addressing Ransomware. New York’s proposal not only prohibits government agencies from paying ransom but also prohibits businesses and health care entities in the Empire State from paying ransom.
Other states are tackling cyber issues in different ways. In 2022, there were over 250 pieces of legislation at the state level regarding cybersecurity and each year that number grows. Several states are creating taskforces, cyber offices or departments and mandating strategic plans and councils specifically for state and local cyber issues.
Washington created an office of cybersecurity with a detailed list of requirements for a centralized protocol to protect and manage state IT assets.
Colorado passed legislation to broaden the powers of the Legislature’s Joint Technology Committee. The law also charges the Colorado Cybersecurity Council with developing a whole-of-state cybersecurity approach, including better coordination and setting of strategic statewide cybersecurity goals, road maps and best practices.
Minnesota has created a Legislative Commission on Cybersecurity to review cybersecurity policies and practices of state agencies and to recommend changes in policy to protect the state.
Maryland requires the Secretary of Information Technology to advise on and oversee a consistent cybersecurity strategy for state government. Nevada, Ohio and Vermont require statewide strategic plans. Last year Florida and New Hampshire created statewide cybersecurity advisory councils within their IT departments.
States are intently looking to increase their security and across the board are considering measures that would strengthen security standards, require security awareness training, improve incident response and modernize IT systems.
You can see what state legislators did in 2021 by checking out our 2021 Legislative Roundup blog here and stay tuned for the 2022 roundup.