Stricken language would be deleted from and underlined language would be added to present law.
1 State of Arkansas As Engrossed: H4/3/23
2 94th General Assembly A Bill
3 Regular Session, 2023 HOUSE BILL 1704
4
5 By: Representative R. Scott Richardson
6
7 For An Act To Be Entitled
8 AN ACT TO PROHIBIT PUBLIC ENTITIES FROM PAYING A
9 RANSOM FOR A CYBERATTACK; TO REQUIRE PUBLIC ENTITIES
10 TO CREATE A POLICY TO PROHIBIT PAYMENT OF A RANSOM
11 FOR A CYBERATTACK; AND FOR OTHER PURPOSES.
12
13
14 Subtitle
15 TO PROHIBIT PUBLIC ENTITIES FROM PAYING A
16 RANSOM FOR A CYBERATTACK; AND TO REQUIRE
17 PUBLIC ENTITIES TO CREATE A POLICY TO
18 PROHIBIT PAYMENT OF A RANSOM FOR A
19 CYBERATTACK.
20
21
22 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS:
23
24 SECTION 1. DO NOT CODIFY. Legislative findings.
25 The General Assembly finds that:
26 (1) Using taxpayer moneys to fund United States adversaries
27 should be illegal;
28 (2) According to the Microsoft Digital Defense Report, at least
29 half of ransomware cyberattacks come from the countries of Russia, China,
30 North Korea, and Iran, with the primary targets being United States entities;
31 (3) Ransomware cyberattacks are one hundred percent (100%)
32 recoverable with adequate backup and recovery processes;
33 (4) Payment of ransoms only encourages further cyberattacks on
34 the same entities;
35 (5) SecurityWeek discovered for entities that pay a ransom in a
36 ransomeware cyberattack that at least eighty percent (80%) of those victims
*ANS343* 04-03-2023 12:31:27 ANS343
 As Engrossed: H4/3/23 HB1704
1 are hit with a second ransomeware cyberattack;
2 (6) An entity that pays a ransom to ransom holders that are
3 holding data access hostage is often not successful in regaining data access;
4 and
5 (7) A study by Statista in 2023 reported that only fifty-two
6 percent (52%) of the victims that paid a ransom received data access back on
7 the first ransom payment and that another forty-one percent (41%) had to pay
8 a second ransom to regain data access.
9
10 SECTION 2. Arkansas Code Title 25, Chapter 1, Subchapter 1, is amended
11 to add an additional section to read as follows:
12 25-1-126. Policy regarding prohibition on ransom payments for
13 cyberattacks.
14 (a) As used in this section:
15 (1) "Cyberattack" means an attack on, or a cybersecurity breach
16 of, a public entity;
17 (2) "Public entity" means an instrumentality funded in whole or
18 in part by taxpayer funds, including without limitation:
19 (A) The Department of Agriculture;
20 (B) The Department of Commerce;
21 (C) The Department of Corrections;
22 (D) The Department of Education;
23 (E) The Department of Energy and Environment;
24 (F) The Department of Finance and Administration;
25 (G) The Department of Health;
26 (H) The Department of Human Services;
27 (I) The Department of Inspector General;
28 (J) The Department of Labor and Licensing;
29 (K) The Department of the Military;
30 (L) The Department of Parks, Heritage, and Tourism;
31 (M) The Department of Public Safety;
32 (N) The Department of Transformation and Shared Services;
33 (O) The Department of Veterans Affairs;
34 (P) The offices of constitutional officers;
35 (Q) Political subdivisions of the state;
36 (R) Public school districts;
2 04-03-2023 12:31:27 ANS343
 As Engrossed: H4/3/23 HB1704
1 (S) Public school boards of directors;
2 (T) Charter schools;
3 (U) Institutions of higher education;
4 (V) The State Highway Commission;
5 (W) The Arkansas Department of Transportation;
6 (X) The Arkansas State Game and Fish Commission; and
7 (Y) All courts of the State of Arkansas;
8 (3) "Public funds" means state, county, or local government
9 moneys, in addition to any department, agency, or instrumentality authorized
10 or appropriated under state law or derived from any fund in which such moneys
11 are deposited; and
12 (4) "Ransom" means the amount of moneys made in demand by a
13 third party to stop or limit damage or restrictions to the operations of a
14 public entity.
15 (b) A public entity shall not pay ransom for a cyberattack.
16 (c) A public entity shall create a cyberattack policy to prohibit the
17 payment of a ransom for a cyberattack on the public entity.
18
19 SECTION 3. DO NOT CODIFY. EFFECTIVE DATE.
20 (a) This act is effective on and after January 1, 2025, except for
21 applying to:
22 (1) Political subdivisions of the state;
23 (2) Public school districts;
24 (3) Public school boards of directors;
25 (4) Charter schools; and
26 (5) Institutions of higher education.
27 (b) This act is effective on and after January 1, 2027, for:
28 (1) Political subdivisions of the state;
29 (2) Public school districts;
30 (3) Public school boards of directors;
31 (4) Charter schools; and
32 (5) Institutions of higher education.
33
34 /s/R. Scott Richardson
35
36
3 04-03-2023 12:31:27 ANS343