Arizona lawmaker proposes ban on taxpayer-funded ransomware payouts

Proposed law would been any public entity in Arizona that’s held ransom for its digital assets from paying the ransom.

Updated: January 11, 2022 - 11:29pm

The Facts Inside Our Reporter’s Notebook

Any public entity in Arizona that’s held ransom for its digital assets could not pay the ransom to get those assets back, under a new proposal.

State Rep. Shawnna LM Bolick, R-Phoenix, filed two bills Tuesday that would ban state or local entities from paying off a ransomware attack.

A ransomware attack is typically described as a situation where an entity’s sensitive or valuable data is encrypted or taken from it by another entity asking to be paid in exchange for its safe return. The Federal Bureau of Investigation advises against paying for information that’s held captive in this manner, as it not only enables more ransomware attacks but often doesn’t result in the entity giving the information back.

The FBI says ransomware can be downloaded in a number of ways, including by opening an email attachment, clicking an ad or a link, or visiting a corrupted website containing malware.

House Bill 2145 bans any such payment by the state or any political subdivision to reacquire data held ransom. House Bill 2146 requires any unit of government subject to a ransomware attack to report the situation to the state Department of Homeland Security.

“As more data security breaches and ransomware attacks are on the rise, we must ensure the bad actors are not receiving compensation for these breaches,” said Bolick. “I have sponsored two bills to prohibit ransomware payment and to notify the Director of the Arizona Department of Homeland Security of data security breaches, so there can be a coordinated effort to push back against this malfeasance.”

An October 2020 report from the Financial Crimes Enforcement Network found exchanges and other financial institutions reported $590 million in ransomware payments in the first half of 2021. The report said that exceeds 2020’s total of $416 million.

"Further, paying a ransom incentivizes and emboldens cyber criminals to target more organizations," Bolick said. "Worse, ransom payments may be used to fund other illicit activity. With the additional policies and reporting requirements in place, Arizona can be recognized as a top leader in this country when it comes to responding and shutting down this criminal activity.”