HARRISBURG – The Senate of Pennsylvania approved significant reforms as to how state and local governmental entities must address ransomware attacks moving forward, according to the bill’s sponsor, Senator Kristin Phillips-Hill (R-York).
“We have seen an increase in ransomware attacks in governmental entities at all levels, as well as against critical infrastructure across the United States,” Phillips-Hill said. “We know that these attacks will grow as technology used by criminals becomes more sophisticated. This legislation draws a line in the sand to say that taxpayers will not pay the ransom requested by entities seeking to illegally extort cash from hard-working Pennsylvanians.”
Under Phillips-Hill’s legislation, Senate Bill 726, the act of possessing, using, developing, selling or threatening to use ransomware is defined and made illegal in the Commonwealth. The measure would subject criminals who use ransomware to a range of penalties – first-degree misdemeanor to a first-degree felony – depending on the monetary amount exploited.
The measure also requires near immediate notification of a ransomware attack within state agencies, as well as all branches of state government, including the General Assembly, local governmental entities, school districts, state-related universities, community colleges and charter and cyber charter schools.
The Office of Administration (OA) would be required to produce an annual report detailing the number of ransomware attacks, along with the nature and impact of each attack. In order to mitigate vulnerabilities, OA would be required to study the state’s IT weaknesses and ability of the state to respond to ransomware attacks. Following the review, OA would develop guidelines featuring best practices and response to potential future ransomware attacks.
The legislation advanced to the House of Representatives for further consideration.