WeVote

Bill

Bill

SD 2020

An Act protecting against cyber ransom

194th Legislature (2025-2026) Introduced by Paul Mark

Massachusetts state/local entities may not pay or contact ransomware attackers and must report ransom demands to the Chief Information Officer for coordinated, expert response.

Referred to the committee on Advanced Information Technology, the Internet and Cybersecurity
0
WeVote Research Nonpartisan
Bill Summary · SD 2020

Summary: Senate Bill SD 2020 — An Act Protecting Against Cyber Ransom

Purpose and intent

An Act Protecting Against Cyber Ransom would prohibit state and local government entities from engaging with ransomware attackers by paying or communicating with them after a cyber incident. The bill also requires that any state or local entity facing a ransom demand promptly report to and consult with the Chief Information Officer (CIO). The underlying aim is to deter ransom payments and ensure coordinated, expert guidance in responding to cyber extortion.

Key provisions

  • Section added to Chapter 7D, Section 7 (as of 2022 Official Edition) with two new subsections:
    • (e) Prohibition on ransom payments/communication: No state agency, local government entity, or municipality may submit payment or otherwise communicate with an entity that has encrypted data and then offered to decrypt that data in exchange for a ransom payment.
    • (f) Mandatory reporting and consultation: Any state agency or local government entity experiencing a ransom demand related to a cybersecurity incident must report to and consult with the CIO.

Who is affected

  • State agencies, local government entities, and municipalities within Massachusetts. The measure targets interactions with ransomware actors and requires formal consultation with the CIO during ransom events.

Procedural and timeline details

  • Introduced: February 27, 2025.
  • Legislative history:
    • House concurrence on February 27, 2025.
    • Referred to the Senate Committee on Advanced Information Technology, the Internet and Cybersecurity on March 10, 2025.
  • Status: Referred to committee for consideration; no final floor action reflected in the provided record.
  • Related items: Similar matter previously filed in the 2023-2024 session (Senate No. 35).

Practical implications

  • Enforcement and compliance: The bill creates a clear policy against paying ransom and requires proactive coordination with the CIO, which could standardize incident response and reduce incentive for attackers.
  • Reporting workflow: Agencies and municipalities would need internal processes to identify ransom demands and trigger CIO consultations, potentially affecting incident response timelines.
  • Scope and limitations: The text provided does not specify penalties for noncompliance, nor does it outline procedures for determining when a ransom request qualifies under the bill. It also does not address other potential responses (e.g., data backups, disaster recovery, or legal/risk considerations).

Notes

  • The bill would amend Chapter 7D of the General Laws “as appearing in the 2022 Official Edition.”
  • No explicit funding or fiscal impact is stated in the summary text provided.

This summary captures the bill’s core intent, provisions, and how it would affect Massachusetts state and local entities if enacted.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.