As part of the budget appropriations law enacted on November 18, 2021,[1] North Carolina became the first state in the nation to prohibit state agencies and local government entities from paying a ransom following a ransomware attack.[2] The new law also prohibits public entities from communicating with a malicious actor following a ransomware attack. Instead, such entities must consult with the North Carolina Department of Information Technology (the “Department”) when they experience such an attack.[3] Passage of this law follows a sharp increase in ransomware attacks against state and local governments since 2019.
The new law applies to all local government entities, including cities, counties, local school administrative units, and community colleges. All state agencies—including boards, commissions, bureaus, officials, and other entities of the executive, legislative, and judicial branches, as well as The University of North Carolina—also are subject to the payment and communication prohibitions.[4]
