North Carolina became the first state in the U.S. to enact a law that prohibits state and local public agencies from engaging with ransomware hackers demanding ransom, and from paying them any ransom. Under the new statute, upon an agency’s discovery of ransomware in its systems, it must report the incident to the North Carolina Department of Information Technology (DoIT) within 24 hours and comply with the DoIT’s instructions.

Other states, including New York and Pennsylvania, are currently debating the enactment of similar laws.