State legislatures were among the long list of public entities that joined the private sector in abruptly shutting down this past March. Quickly it became clear that as legislatures returned to finish the year’s business, their scope would narrowly focus on COVID-19 related legislation. While it’s too soon to tell how 2021 legislative sessions will unfold, it’s reasonable to forecast that continued legislative efforts to mitigate the health and economic consequences of COVID-19 might crowd-out other legislative priorities.
Among the subject matters that may not inherently strike one as novel coronavirus-related is cybercrime, particularly ransomware, in which criminals deny access to a computer system or data until a ransom is paid. Individuals, businesses, large and small, and units of government of all types and sizes are regularly and increasingly being targeted.
Under normal circumstances, these attacks cripple operations and mitigation costs range from tens of thousands to many millions of dollars. In current times, with governments and businesses just trying to adapt (and in some cases survive) to the challenges brought by COVID-19, a ransomware attack, coupled with COVID-19 disruptions, is exponentially more harmful and stressing. And it is thought that hackers are viewing the coronavirus shutdown as an opportune time to strike when organizations can least afford to be down.
Just last month, INTERPOL issued a warning that organizations at the forefront of battling the COVID-19 outbreak, particularly healthcare organizations, are facing an increase in ransomware attacks. Microsoft security intelligence has detected an uptick in ransomware attacks in April; their hypothesis being hackers infiltrated target networks months prior but patiently waited to unleash the ransomware when the time was right.
Cybersecurity insurance is available to help attacked organizations get back on their feet. A 2018 National Association of Insurance Commissioners report found that about 500 U.S. insurers offer cybersecurity insurance with a total cybersecurity insurance market of approximately $3.6 billion. However, combatting ransomware, already a growing legislative issue, should continue to be prioritized by legislators among other coronavirus mitigation efforts. As America pulls together to fight the virus and restart the economy, cybersecurity breaches are a major economic drain that our country cannot afford.
This year alone, NICB Government Affairs is tracking several ransomware related bills, including:
California SB 922 essentially extends the statute of limitations for prosecution of those engaged in ransomware.
Iowa SF 2391 would prohibit public bodies from expending taxpayer dollars to pay ransomware demands.
Maryland SB 30 creates a criminal offense for possessing ransomware with the intent to introduce the ransomware into a computer or computer network.
Virginia HJ 64 requests the Virginia Information Technologies Agency to study the state’s susceptibility, preparedness, and ability to respond to ransomware attacks.
Louisiana HB 633 would require mandatory training in cybersecurity awareness for all state and local government employees, officials, and contractors.
New York S 7246 seeks to create a cybersecurity enhancement fund to help local governments upgrade cybersecurity, and it also restricts public bodies from using taxpayer dollars to pay ransomware demands.