Texas Municipalities and Ransomware: Can the Sheriff Surrender to the Outlaw?

Ransomware attacks against government entities are on the rise. Three Florida towns were infected last month alone, and Texas municipalities are increasingly finding themselves between Scylla and Charybdis: pay ransom to hackers or lose data (or access to data) critical to the basic functions of modern cities. This dilemma has been widely discussed practically and abstractly, but there remains little official guidance as to whether a public entity in Texas can legally pay a ransom, even if it is the financially responsible thing to do.  

In one example from earlier this year, on the morning of January 10, a ransomware attack plunged the municipal government of Del Rio, Texas, into a tech blackout. Hackers encrypted the city’s data and demanded ransom for its release. City Hall employees resorted to working with pens, paper and typewriters to keep the local government functioning.

City officials faced a choice that has become familiar in the business world: lose your data or send Bitcoin to cyber-bandits. The Department of Justice estimates that four thousand ransomware attacks occur every day. Municipalities are frequent targets—at least 53 state and local systems were infected in 2018, up from 38 in 2017.

Del Rio decided that recovering the city’s data was worth paying ransom. According to recent CyberEdge research, about 45 percent ransomware victims made a ransom payment. But government entities appear relatively less likely to pay. Another researcher found that “only 17.1 percent of state and local government entities that were hit definitely paid the ransom, and 70.4 percent of agencies confirmed that they did not pay the ransom.” That trend might be changing, however, as two of the three Florida towns infected by ransomware last month opted to pay, as did Atlanta last year.

While valid legal and ethical concerns linger, the consequences of not surrendering to ransom demands can be dire, as some municipalities learned the hard way. A recent standoff over a $76,000 ransom set the city of Baltimore back $18 million. In 2017, a Dallas County police department lost years of evidence when they refused to meet their attackers’ demands.

Using taxpayer dollars to pay off criminals may not sound Texas tough. But ransomware payments are something of a legal wild west—there is little to no law explicitly governing how to respond to such a demand. This gap in the law makes it possible that a Texas municipality might resist paying ransom to free their data, even if payment is the more financially prudent option.

Click below to read the full Texas Lawbook article.