Ransomware Payments: How Pennsylvania Legislation May Impact MSSPs, MSPs
Pennsylvania’s state Senate has passed legislation banning the Commonwealth’s agencies from siphoning state and local taxpayers’ money or other public funds to pay ransomware hijackers to unlock barricaded systems.
Senate Bill 726, first introduced in May, 2021, details the nature of a ransomware infiltration and makes it illegal to develop, sell or distribute the malware within Pennsylvania. The bill now heads to the state’s House of Representatives for amending.
The law has a direct impact on managed security services providers (MSSPs). Specifically, MSSPs and MSPs engaged at the state or local level with Pennsylvania agencies must notify an appropriate official within one hour of the ransomware attack or having received a ransom demand. The affected agency, in turn, must notify the Federal Bureau of Investigation (FBI) of the incident. On-the-dime MSSPs will also see this as an opportunity to help restore affected agencies’ data and systems.
Ransomware Payments, Cyberattacks and a State of Emergency
Penalties for violators depend on the depth of exploitation, ranging from first degree misdemeanors for attacks of less than $10,000 to first degree felonies for ransomware crimes greater than $500,000. The one exception to an agency using taxpayers’ money to meet a ransom demand is if the Governor declares a state of emergency.
There is nothing in the bill that prohibits state and local agencies from using public funds to buy cyber insurance. Victims may sue the cyber perpetrators in civil or criminal court for damages. The law also requires the state’s Office of Administration produce a study assessing the ability of agencies to manage risk, preparedness and incident response to ransomware attacks.
“We have seen an increase in ransomware attacks in governmental entities at all levels, as well as against critical infrastructure across the United States,” said Republican state Senator Kristin Phillips-Hill, the bill’s primary sponsor. “We know that these attacks will grow as technology used by criminals becomes more sophisticated. This legislation draws a line in the sand to say that taxpayers will not pay the ransom requested by entities seeking to illegally extort cash from hard-working Pennsylvanians.”
A second passed bill would require any state agency, school district or local government agency to notify victims within seven days of a breach of personal information. Both bills passed mostly along party lines.
Will Barring Ransomware Payments Eliminate Hacker Temptations?
In the wider view, lawmakers are split on whether barring ransom payments can deter or stop hackers from attacking their states or at the federal level. On the one hand, legislators contend that ransomware crews will steer clear of states if they know officials will decline to cough up ransoms. “If criminals know that Pennsylvania will not pay ransom, we are going to make ourselves a less likely target for these types of attacks,” Phillips-Hill said after introducing the bill. “Our citizens’ personal information is on the line. We have to do everything we can to protect them.”
However, some small local government agencies may find it more expedient and effective to meet a ransom demand rather than refusing to pay up. It’s not clear if Pennsylvania’s small town agencies will fall into that category.
Within Congress, the question whether U.S. companies should be banned from paying hackers who launch ransomware attacks and demand extortion payments in return for decryption keys is as yet unresolved. As with the states, many legislators believe that the potential risk for cyber blackmail by data hijackers is too great. Keep in mind that any legislation involving cyber incident disclosures could influence how MSSPs, MSPs and MDR (managed detection and response) service providers work and communicate with their customers and the government.