TECH INSIGHTS: Does Your Municipality Plan to Pay a Ransomware Ransom? States Starting to Say “No”

The information contained in this article is not intended as legal advice and may no longer be accurate due to changes in the law. Consult NHMA's legal services or your municipal attorney.

When municipalities get caught off guard by a ransomware attack, they sometimes see paying the ransom as a way out. It’s not a pretty option, but it’s (supposedly) a way to get your data back in a worst-case situation.

However, cybersecurity experts and law enforcement officials have warned for years that paying a ransom is not the right decision for many reasons:

• 92% of impacted organizations don’t get all their data back. (Source)
• 29% of impacted organizations cannot get more than half their data back. (Source)
• Of those organizations that pay a ransom, 80% get hit again. (Source)
• Cybercriminals may still be inside your systems after you pay.
• You are keeping cybercriminals in business and validating their business model.
• You may be funding terrorism, sex trafficking, drug trading, and other illicit activities.
• You are saying “Target me again!”

For those and many other reasons, municipalities should not pay a ransom. Yet, they do. To stop these payments from happening, states are seeking to deter municipalities.

• North Carolina: On April 5, 2022, North Carolina passed a law prohibiting municipalities from paying a ransom related to a ransomware attack and even communicating with any cybercriminals instigating the ransomware attack.
• Florida: HB 7055 (passed by the House and Senate and likely to be signed into law by Governor Ron DeSantis) also prohibits municipalities from paying a ransom.
• Pennsylvania: SB 726 passed the Senate but stalled in the House. This bill prohibits using taxpayer money to pay a ransom but makes an exception if the Governor declares a disaster emergency and deems paying a ransom to be necessary in that situation.
• New York: Senate Bill S6806A made it to committee in the Senate. Like the other bills, it prevents governmental entities (including municipalities) from paying a ransom related to a ransomware attack.

These are just a few examples of states that are aggressively pursuing laws, with bipartisan support, that prevent municipalities from paying ransoms. Similar to data breach notification legislation or data privacy laws, it just takes a few states to set the example before other states follow suit.

This is a good time to ask yourself, “Am I prepared for a ransomware attack without the option of paying a ransom?”

If you’re concerned about this trend and don’t like the idea of a ransom payment removed from your arsenal, consider once again the above facts and statistics while also taking the opportunity (especially with ARPA funds) to put a foundation in place that helps you deal effectively with a ransomware attack.

1. Regularly patch your software.
2. Update your operating system.
3. Modernize your technology and get rid of legacy systems.
4. Build a highly available data backup and disaster recovery solution.
5. Monitor systems to proactively detect issues and contain damage.
6. Separate critical systems from less critical systems.
7. Never pay the ransomware ransom!

Kevin Howarth is the Communications Manager for VC3, the largest managed services provider focused on local government in the United States. His background includes 20 years of content marketing experience in information technology, cybersecurity, and municipal government.

About VC3 

VC3 is a leading managed services provider focused on municipal government. Founded in 1994 with offices across the East Coast, VC3 forms partnerships with municipalities to achieve their technology goals and harness their data. In addition to providing comprehensive managed IT solutions, VC3 offers cybersecurity, website design, custom application development, and business intelligence services. Visit www.vc3.com to learn more.