PA could mandate that ransoms NOT be paid in cyberattacks

July 27 – Legislation to ban ransom payments by municipalities made it out of a Pennsylvania State Senate committee just before the General Assembly session ended this past June.

Senator Kristin Phillips-Hill from York had introduced the legislation that passed almost unanimously in the committee – there was only one dissenting vote.

New York and North Carolina are also looking at similar legislation.

The legislation would ban local municipalities – including school districts – from making ransom payments if their systems get hacked. The argument behind it is tax money should not be used for ransom payments.

While that makes sense, a lot of IT and cyber security experts are saying it could cost a whole lot more money to reconfigure the entire system and save the data than it would to just pay the ransom.

Attorney Clint Barkdoll, Pat Ryan and Michele Jansen discussed the proposed legislation this morning during the Big Talk on First News.

Barkdoll said, “It’s a very complicated issue and it will be interesting to see what our General Assembly does with this when they return in September. It will be on the Senate agenda first. Something to keep an eye on because we know this is a growing problem not only in Pennsylvania, but around the US.”

Ryan asked, “Wouldn’t that be an unfunded mandate?”

Barkdoll said, “It would be in as much as if this passes and then the municipality would have to reconstitute it’s IT if they’re hacked. It effectively becomes an unfunded mandate and in a weird way it might end up being much more expensive if you’re a town or a school district that can’t pay the ransom because you now much re-do your whole system. You may see some borough leaders, township leaders, school board leaders maybe pushing back against this law saying as much as we hate this and as distasteful as all of this is, we may be better off paying a ransom than having to re-do our entire system.”

Ryan wondered, “Who’s doing the stress tests as well? What Nathan Neil has brought up time and time again is it’s not necessarily the borough that’s the problem, or not necessarily the business that’s the problem, it’s the third party vendors. He was even talking about some business that got hacked through the smart thermostat through an HVAC window of opening there. You may be fine, but how about the rest of the promises to the rest of your vendors?”

The mess in Norway and Sweden in the grocery stores, pharmacies and gas stations came from a third party vendor in Miami, Florida.

Barkdoll said, “That often is where the problem lies and it’s a good illustration. If a borough gets cyber hacked, it might not be the borough’s infrastructure, it might be this third party vendor but nonetheless if this proposed law is passed, the borough would nonetheless be unable to pay the ransom, they would have to start all over again from square one.”