Because businesses and hospitals in Maryland had suffered a large number of ransomware attacks, the new Senate Bill 151 was introduced to increase ransomware attacks penalties. Hopefully, the higher ransomware attacks penalties would dissuade people from doing ransomware attacks in the state.
As per the bill, ransomware refers to computer or data contaminant, lock or encryption that an unauthorized person introduced on a computer, network, or system thus restricting access to the computer, information, network, or system. It is followed by a demand for money to take away the contaminant, lock or encryption.
Present laws in Maryland classify a ransomware attack as a misdemeanor when losses due to an attack is lower than $10,000. It is classified as a felony when losses due to an attack is $10,000 or higher. The bill is attempting to reclassify a ransomware attack as felony with aggregate losses over $1,000. Aggregate losses refer to the accumulated value of any lost, stolen, or unrecoverable cash, property, or service because of the crime including reasonable expenses of confirming if a system was altered, accessed, damaged, disrupted, deleted or destroyed.
The fine for ransomware attacks with over $1,000 in losses would be as high as $100,000 plus up to 10 years imprisonment. With aggregate losses of under $1,000, the ransomware attack is classified as a misdemeanor with fine of as high as $25,000 plus up to 5 years imprisonment.
A person found to be in possession of ransomware (for non-research purposes) can also be penalized and imprisoned even if not conducting any attack. Possession with motive can result to as much as $10,000 fine plus up to 10 years imprisonment.
It would also be possible for an individual who has experienced a particular and direct injury because of a ransomware attack to file a civil action against the attacker to seek damages and to recover the cost of legal action.
Ransomware presents a risk to all businesses, however healthcare organizations are particularly at risk. Hospitals attacked by ransomware results in financial losses and potential harm to patients. Losing access to healthcare systems and patient data encryption can interrupt medical services that could cause fatalities.
Research performed at Vanderbilt university in 2017 indicates that ransomware attacks on hospitals has the potential to result in 2,000 deaths yearly. There’s also substantial financial losses such as the more than $30 million losses in the ransomware attack on Medstar Health in Maryland in 2016.