Ransom disclosure law would give firms 48 hours to disclose ransomware payments
The State of Security
Organizations who find their networks hit by a ransomware attack may soon have to disclose within 48 hours any payments to their extortionists.
That’s the intention of the Ransom Disclosure Act, a new bill proposed by US Senator Elizabeth Warren and Representative Deborah Ross.
Ransomware victims are not currently required to report attacks or ransom payments to federal authorities, but the new bill would require all ransomware victims (excluding individuals) to disclose the following information within 48 hours of a ransom payment:
- The date on which the ransom was demanded.
- The date on which the ransom was paid.
- The amount of ransom demanded.
- The amount of ransom paid.
- The currency used to make the payment (including type of cryptocurrency, if cryptocurrency was used).
- Whether the organisation that paid the ransom receives Federal funds.
- Any known information regarding the identity of the extortionist.