Skip to Main Content
Facebook Visit us on LinkedIn Visit us on Twitter Visit us on YouTube Visit us on Instagram

Privacy & Data Security Alert

April 5, 2022

Not in My Backyard: NC Becomes First State to Prohibit Public Entities from Paying Ransoms

By Patricia A. Markus, Gina Ginn Greenwood, JD, CIPP/US

As part of the budget appropriations law enacted on November 18, 2021,[1] North Carolina became the first state in the nation to prohibit state agencies and local government entities from paying a ransom following a ransomware attack.[2]  The new law also prohibits public entities from communicating with a malicious actor following a ransomware attack.  Instead, such entities must consult with the North Carolina Department of Information Technology (the “Department”) when they experience such an attack.[3]  Passage of this law follows a sharp increase in ransomware attacks against state and local governments since 2019.

The new law applies to all local government entities, including cities, counties, local school administrative units, and community colleges. All state agencies—including boards, commissions, bureaus, officials, and other entities of the executive, legislative, and judicial branches, as well as The University of North Carolina—also are subject to the payment and communication prohibitions.[4] 

Local government entities are required to report cybersecurity incidents to the Department, while private sector entities are encouraged, but not required, to make such reports.[5]   Information shared with the Department—such as security features of a public entity’s electronic data processing systems, information technology systems, telecommunications networks, or electronic security systems, including hardware or software security, passwords, or security standards, procedures, processes, configurations, software, and codes—is not subject to public disclosure as a public record.[6]

A similar bill approved by the Pennsylvania Senate in January 2022 would ban the use of taxpayer funds to pay ransoms following cyberattacks, except where the governor has made a declaration of a disaster emergency and authorized the payment.[7] That bill is now before the Pennsylvania House Judiciary Committee. New York is pursuing legislation that would take the prohibition a step further by banning ransomware payments by both public agencies and private companies.[8] 

Statements by lawmakers in North Carolina and Pennsylvania suggest that the policy behind these law is that if hackers know that a state or local agency is prohibited by law from paying a ransom, the hackers will have no financial incentive to attack such agencies and accordingly will look for victims in other states.[9]

However, not all threat actors are sophisticated enough to understand this.  Moreover, categorically prohibiting ransom payments may disadvantage public agencies that have not created segregated and contained back-up copies of their information systems, as they will be unable to restore or rebuild their systems.  State and local agencies in these states and elsewhere should make efforts to assure that they have multiple layers of security measures and protections in place—including reliable back-up systems, appropriate safeguards for their information technology systems, and adequate cyber insurance coverage.


[1] Current Operations Appropriations Act of 2021, S.L. 2021-180.

[2] N.C.G.S. § 143-800(a).

[3] N.C.G.S. § 143-800(b).

[4] N.C.G.S. § 143-800(c).

[5] N.C.G.S. § 143B-1379(c).

[6] N.C.G.S. § 132-6.1(c).

[7] Pennsylvania SB 726 (2021), available at btCheck.cfm (state.pa.us).

[8] See 2021-2022 NY Senate Bill S6806A § 401(2), available at NY State Senate Bill S6806A (nysenate.gov)

[9] See J. Bergal, “States Weigh Bans on Ransomware Payoffs,” Stateline (Jul. 23, 2021), available at States Weigh Bans on Ransomware Payoffs | The Pew Charitable Trusts (pewtrusts.org).