Ransomware Legislation: A Window Into Tomorrow’s Compliance Obligations

A few weeks ago we wrote about the threat that increasingly sophisticated ransomware criminals posed to law firms, and we suggested several measures that law firm leaders might take to minimize the likelihood that they — and their clients — would become a victim of these attacks.

In this post, we look at another danger arising from the growing scourge of ransomware attacks: the “threat” of new and potentially burdensome legal compliance obligations that may arise as federal and state governments step in to secure the nation’s critical computer networks.

At last count, eight legislative proposals have been introduced in the 117th Congress that would create an obligation for many businesses to report ransomware attacks on their computer networks. State legislatures are also interested in joining the fight against ransomware. Proposals are popping up around the country to create new ransomware crimes, to impose ransomware notification obligations, or to forbid government agencies and businesses from paying ransom demands.

What is ransomware? Ransomware is a type of malware designed to render files inaccessible to their rightful owner via encryption and, in some cases, will collect and remove valuable data from the computer. Having succeeded in installing ransomware on the victim’s device or network, ransomware criminals will demand a ransom in exchange for returning control and functionality of the device or network to the victim.

Until recently, a ransomware event involved a payment of money in exchange for the return of the compromised computer. Lately, however, ransomware criminals have shifted tactics. It’s becoming common for ransomware criminals to threaten to publicly expose pilfered data, to launch denial of service attacks against the victim, or to threaten to harass the victim’s business partners, employees, and customers with news of the ransomware attack. Ransomware payments in the U.S. alone exceeded $590 million in the first half of 2021 according to the U.S. Treasury Department Financial Crimes Enforcement Network.

Legislators Respond to Ransomware Attacks

Not surprisingly, federal cybersecurity agencies and bank regulators have responded to the ransomware threat by prosecuting ransomware criminals where current law allows and by rolling out new public education campaigns to help businesses deter ransomware attacks and to encourage businesses to enlist government assistance when they are victimized.

Many cybersecurity experts in government believe that law enforcement must take a more active role in protecting the nation’s critical computer networks from ransomware attacks. Importantly, they want greater assistance from businesses in the form of rapid, detailed notifications when private computer networks have experienced a ransomware attack.

Business entities, generally speaking, have no legal duty to report a ransomware attack unless the attack triggers a notification obligation under a state or federal data breach notification statute. But there are several bills pending in Congress to impose just such a notification obligation on businesses (including, of course, law firms). These legislative proposals are:

• Cyber Incident Reporting Act (S. 2875), introduced Oct. 6, 2021. The measure would require critical infrastructure operators to report cyber-attack within 72 hours and all businesses with more than 50 employees to report a ransomware payment within 24 hours.
• Cyber Incident Notification Act (S. 2407), introduced July 21, 2021. The measure would require “covered entities” (to be defined by the Department of Homeland Security rulemaking) to report cyber-intrusions and ransomware attacks within 24 hours.
• Cyber Incident Reporting for Critical Infrastructure Act (H.R. 5441), introduced Sept. 30, 2021. Similar to S. 2875.
• Sanction and Stop Ransomware Act (S. 2666), introduced Aug. 5, 2021. The measure would require the federal government to develop a standardized process for receiving ransomware notifications; impose notification obligations on covered businesses; and require the Department of Treasury to take steps to reduce the anonymity of cryptocurrencies transactions.  
• Ransomware and Financial Stability Act (H.R. 5936), introduced Nov. 9, 2021. The measure would forbid financial institutions from making ransomware payments without federal approval.
• Ransomware Disclosure Act (H.R. 5501), introduced Oct. 5, 2021. The measure would require ransomware victims to disclose ransom payments to the Department of Homeland Security within 48 hours. 
• Ransomware Disclosure Act (S. 2943), introduced Oct. 6, 2021. Similar to H.R. 5501.
• Bill to require certain entities to disclose to the Secretary of Homeland Security ransom payments, and for other purposes (S. 2926), introduced Oct. 4, 2021. The measure would define entities obligated to report ransomware payments and direct the creation of a website for ransomware victims to report offenses.

It doesn’t take a K Street lobbyist to figure out that there is a lot of federal interest in requiring businesses to reveal to the government when they have been the victim of a ransomware attack. So far, none of these bills have received a committee hearing or consideration by the House or Senate. However, cybersecurity legislation is a perennial topic of interest on Capitol Hill that could see action in response to a crippling, large-scale ransomware event.

[March 11 update: On March 10, the House of Representatives passed the Strengthening American Cybersecurity Act of 2022, a bill that requires critical infrastructure providers to report cyberattacks to the federal government within 72 hours. Under the bill, payments of ransomware would have to be reported within 24 hours. Cybersecurity experts said they believed that the Russia-Ukraine war and the consequent increased likelihood of Russia-directed cyberattacks against U.S. businesses motivated Congress to enact the new reporting obligations. The bill also gives the Cybersecurity and Infrastructure Security Agency authority to issue subpoenas to critical infrastructure providers believed to possess unreported information about cyberattacks.

CISA defines critical infrastructure providers as companies belonging to the following industries: chemical, telecommunications, energy, health care, water and wastewater, food and agriculture, nuclear energy, financial services, information technology, defense, transportation systems, emergency services, critical manufacturing, government facilities, and commercial facilities. Law firms are not currently defined as critical infrastructure providers, although they could be so designated in a future CISA rulemaking proceeding.

The Senate passed the bill on March 2, so it now goes to President Biden, who is widely expected to sign it.]

State legislatures are also interested in regulating the ransomware phenomenon. Legislatures in North Carolina, New York, Pennsylvania, and Texas considered but failed to pass ransomware bills in 2021.

There’s some evidence that 2022 will be different. On Jan. 19 the Pennsylvania Senate passed S.B. 726, a measure that would create new ransomware crimes and prohibit government agencies from making ransomware payments with tax dollars, but it would authorize them to purchase cyberinsurance policies to cover public costs of making ransomware payments. S.B. 726 was referred to the state House for consideration.

Some government entities aren’t waiting for a legislative invitation to purchase liability protection. In Utah, the state judicial branch’s FY2023 budget includes $320,000 funding for “cybersecurity ransomware insurance.”

The New York Senate is currently considering S.B. 6154, a similar bill that would restrict the use of state funds for making ransomware payments and create a new cybersecurity enhancement fund.

In Illinois, legislation that would make it a felony to intentionally transmit ransomware was introduced last month.

In Florida, the Senate is considering S.B. 1670, a measure that would create ransomware criminal offenses and would restrict the ability of local governments to pay ransom to ransomware criminals. Legislation was recently introduced in both the House (H.B. 2044) and Senate (S.B. 5916) to create a program to harden state computer networks against the threat of ransomware and other cyber-attacks.

The foregoing examples of possible legislative action on ransomware are by no means exhaustive. It’s likely that most, if not all, state governments are readying some type of regulatory response to the problem of ransomware. 

How Should Law Firms Respond?

Obviously, no one can know for certain which, if any, of these legislative proposals will become law. And the devil is always in the details, isn’t it? Nevertheless, it’s possible to extract five actionable takeaways from a close reading of the legislation that has been proposed to date.

1. Be prepared to report incidents quickly. The 24-hour reporting limit for ransomware payments will be challenging for law firms. The obligation to meet such a short deadline will require law firms to have well-written and well-understood incident response plans in place prior to a ransomware attack. Now is the time to create such a plan if the firm doesn’t have one already.
2. Watch out for fines due to noncompliance. The Cyber Incident Notification Act (S. 2407) contains provisions that give federal agencies the authority to subpoena businesses for information relating to network attacks. However, Cybersecurity and Infrastructure Security Agency Director Jen Easterly reportedly told senators last fall that fines may be necessary to coerce businesses into complying with disclosure requirements.
3. Don’t make ransomware payments hastily. Several bills prohibit covered entities from making ransomware payments without government permission. No firm should make a ransomware payment without extended consultations with its legal counsel, its insurance carriers and, possibly, the relevant federal, state, and local governments. Even though there is no current legal obligation (outside of data breach notification laws) to report a ransomware attack, some legal experts have raised the possibility that ransomware payments are already illegal under federal regulations that ban payments to terrorist organizations and persons on the Office of Foreign Assets Control’s Specially Designated Nationals and Blocked Persons List.
4. Adhere to industry-standard cybersecurity practices. Several state ransomware proposals contain new requirements that information technology vendors that work with state governments meet minimum cybersecurity standards. Law firms that work with state governments should ensure that their operations meet these tests.
5. Consider purchasing cyberinsurance for ransomware. Many cyberinsurance policies cover ransomware attacks, and for that reason have become popular with businesses and law firms during the past few years, according to a recent U.S. Government Accountability Office report. However, premiums for these policies are rising rapidly in response to an evolving threat landscape. Now might be a good time to carefully review the protections these policies provide and to budget accordingly.

The bottom line for law firms is to be prepared. Although no one can know what the eventual rules will be, it seems certain that the ability to connect to the internet will soon require law firms to shoulder more responsibility for cybersecurity than ever before.