Pennsylvania Senate passes bill banning taxpayer money to be used for hacker ransoms

Legislation defines ransomware and outlaws the act of possessing, using, developing, selling or threatening to use the technology.
Dome of the Pennsylvania State Capitol.
Paul Weaver/SOPA Images/LightRocket via Getty Images

The Pennsylvania Senate has passed legislation to prohibit state and local governments from using taxpayer money to pay ransoms to hackers.

Senate Bill 726, sponsored by Sen. Kristin Phillips-Hill, R-York, defines ransomware and outlaws the act of possessing, using, developing, selling or threatening to use the technology. It includes penalties ranging from a first-degree misdemeanor to a first-degree felony for violations, depending on the monetary amount exploited.

“We have seen an increase in ransomware attacks in governmental entities at all levels, as well as against critical infrastructure across the United States,” Phillips-Hill said. “We know that these attacks will grow as technology used by criminals becomes more sophisticated.

”This legislation draws a line in the sand to say that taxpayers will not pay the ransom requested by entities seeking to illegally extort cash from hard-working Pennsylvanians.”

SB 726 would require state agencies including the General Assembly, local government entities, school districts, state-related universities, community colleges and charter and cyber schools to quickly notify the Office of Administration about ransomware attacks.

The legislation requires managed service providers to notify the proper official in a state agency within an hour of a ransomware discovery, and requires commonwealth agencies to notify the Office of Administration within two hours. The Office of Administration is required by SB 726 to notify the FBI within 24 hours.

The bill also includes one exception for using tax money to pay ransoms “in the event of a declaration of disaster emergency” authorized by the governor.

“The bill would require the Office of Administration to study the preparedness and ability of state agencies to respond to ransomware attacks and review best practices,” Philips-Hill told colleagues on the Senate floor Wednesday. “The Office of Administration would be required to submit an annual report to the General Assembly with specific information on ransomware attacks.”

Democrats raised concerns during committee hearings on SB 726, particularly in incorporating input from all stakeholders who would be affected, as well as how the bill would limit responses to ransomware attacks.

“The limitations on negotiations are really a concern for me, basically taking negotiation off the table. … It’s not clear to me that should be the strategy universally,” Sen. Art Haywood, D-Philadelphia, said during a Judiciary Committee hearing over the summer.

Lawmakers also discussed the potential cost of the legislation Tuesday during a Senate Appropriations Committee meeting.

“The cost to the (corrections) department and to the commonwealth will be $107,000 for every 10 defendants sentenced to a state correctional institution under the provisions of this bill,” Chair Sen. Patrick Browne, R-Lehigh, said.

SB 726 ultimately passed the Senate on a party-line vote of 29-20 and now heads to the House for consideration.