Laws Addressing Ransomware and Computer Extortion
As of July 1, 2022
Ransomware is computer malware that is installed covertly on a victim's computer and preventing access to it, followed by demands for a ransom payment in exchange for returning access or not publishing or exposing data held on the computer.
At least 12 states, listed below, expressly address “ransomware” and/or computer extortion in statute. Most of these states criminalize ransomware and provide for specific penalties. Florida, Indiana, Louisiana and North Dakota require public entities to report ransomware incidents. Texas authorizes the Texas Department of Transportation to purchase insurance coverage for ransomware.
North Carolina prohibits state agencies and local entities from making ransomware payments,
In addition to laws that expressly mention ransomware or computer extortion, additional states, like North Carolina (NCGA § 143B-1379), require reporting of cyber incidents generally (which may include ransomware attacks) or state IT departments may require agencies to report cyber incidents to a CISO or other official. Also, other types of laws (e.g., that prohibit extortion and computer crimes such as malware or computer trespass) could also potentially be used to prosecute ransomware crimes.
Laws Addressing Ransomware and Computer Extortion
State |
Citation |
California |
Calif. Penal Code § 523 Provides that every person who, with intent to extort property or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable pursuant to Section 520 in the same manner as if such property or other consideration were actually obtained by means of the ransomware. |
Connecticut |
Conn. Gen. Stat. § 53a-262 Provides that a person is guilty of computer extortion by use of ransomware when such person introduces ransomware into any computer, computer system or computer network and demands payment of money or other consideration to remove the ransomware, restore access to the computer, computer system, computer network or data contained on such computer, computer system or computer network, or otherwise remediate the impact of the ransomware. |
Florida |
2022 HB 7055 Requires state agencies and local governments to report ransomware incidents to certain entities within specified timeframes. Requires an annual ransomware incident report be submitted to the Governor and the Legislature.
|
Indiana
|
Ind. Code § 4-13.1-1-1.5, -2-9, -2-10 Requires the office of technology to maintain a repository of cybersecurity incidents, provides that a state agency and a political subdivision shall report any cybersecurity incident, including ransomware, to the office without unreasonable delay and not later than two business days after discovery of the cybersecurity incident in a format prescribed by the chief information officer, allows the office of technology to assist a state agency with certain issues concerning information technology.
|
Louisiana |
La. Rev. Stat. §§ 51:2111 to 51:2116
Creates a registration system for managed service providers and managed security service providers doing business in the state with a public body. Provides access for public bodies to obtain information on managed service providers and managed security service providers. Requires managed service providers and managed security service providers to report to the Louisiana Fusion Center any cyber incidents and the payment of cyber ransom or ransomware. Acts 2020, No. 117, §2, eff. Feb. 1, 2021.
|
Maryland
|
Prohibits a person from knowingly possessing certain ransomware with the intent to use the ransomware for purposes of introduction into a computer, network or system of another person, alters and establishes certain penalties, authorizes a victim of a certain offense to bring a civil action for damages against a certain person. Md. Stat. Crim. Law § 7-302(12) (2021 H.B. 425 / 2021 S.B. 623)
|
Michigan |
Mich. Penal Code §§ 750.409b, Section 777.16t Provides penalties for unauthorized possession or use of ransomware. |
North Carolina |
NCGS § 143-800 (2021 S.B. 105 (art. 84)) Prohibits state agencies or local government entities from submitting payment or otherwise communicating with an entity that us making a ransomware demand. |
North Dakota |
N.D. Cent. Code § 54.59.1 et seq. Requires an entity to disclose to the department an identified or suspected cybersecurity incident that affects the confidentiality, integrity, or availability of information systems, data, or services. Disclosure must be made in the most expedient time possible and without unreasonable delay. Cybersecurity incidents required to be reported to the department include: 1. Suspected breaches; 2. Malware affecting more than ten thousand dollars worth of devices or services incidents that cause significant damage; 3. Denial of service attacks that affect the availability of services; 4. Demands for ransom related to a cybersecurity incident or unauthorized disclosure of digital records; ...
|
Oklahoma |
Relates to crimes and punishments, relates to the Oklahoma Computer Crimes Act, modifies definition, defines terms, expands the scope of certain prohibited acts to include ransomware and other malicious computer programs, makes certain acts unlawful, provides construing provision, provides an effective date. (2021 H.B. 1759) |
Texas |
Tex. Penal Code § 33.02
Provides that a person commits an offense if the person intentionally introduced ransomware onto a computer, computer network or computer system through deception and without a legitimate business purpose.
|
Texas
|
Tex. Trans. Code § 201.712 Provides that the Department of Transportation may purchase insurance coverage that the department considers necessary to protect against liability, revenue, and property losses that may result from a data breach or cyber attack. Insurance purchased under this section may include coverage for business and dependent business interruption loss, breach response, data recovery, cyber extortion or ransomware response, fiduciary liability, media liability, professional liability, or expenses for general incident management, such as investigation, remediation, and notification. |
West Virginia |
WV Code §§ 61-3C-3 to 61-3C-4 Creates criminal penalties for introducing ransomware into any computer, computer systems or computer network with the intent to extort money or other consideration. Sets forth the elements of the offense and establishes criminal penalties.
|
Wyoming |
Wyo. Stat. §§ 6-3-506, 6-3-507 Creates the criminal offense of computer extortion. Specifies elements of the offense, provides penalties, and expands the list of computer crimes to be investigated by the division of criminal investigation.
|