North Carolina is the First State to Prohibit Public Entities from Paying Ransoms: What Does This Mean for North Carolina Public Schools and Universities?

On April 5th, North Carolina became the first state to prohibit state agencies and local governments from paying ransoms after becoming victims of a ransomware attack. Indeed, in addition to prohibiting said entities from paying ransoms, North Carolina’s new law actually goes so far as to prohibit a public entity from even communicating with threat actors in response to a ransomware incident. The law also requires any North Carolina public entity that experiences a ransomware incident to “consult with” the North Carolina Department of Information Technology, in accordance with G.S. 143B‑1379.

In 2021, BakerHostetler handled more than 1,270 matters that involved data security incidents such as ransomware attacks. (See 2022 BakerHostetler Data Security Incident Response Report.) Twelve percent of those matters were for clients in the education sector. The average ransom demand was over $1.5 million, and the average amount paid reached nearly $200,000.

North Carolina’s new law specifically includes local school administrative units, community colleges and The University of North Carolina in

Read more

Explore the site

More from the blog

Latest News