Preface: For those who conducting Ransomware attack to another person may be considered a data breach under federal or state law. While attempting to unlock and save its data, a victim of a ransomware attack may have an obligation to enact its data breach protocol and notify individuals whose data is affected by the attack.
Perhaps cybersecurity experts will focus on design weaknesses, including the circumstances under which data breaches can occur. We all know that the GDPR brings the subject of data privacy to court. The fine will be based on the actual situation. But GDPR regulations are valid in European countries. What about the United States of America?
About who must obey the law:
New York (N.Y. Gen. Bus. Law § 899-AA, N.Y. State Tech. Law 208)- https://www.nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdf
California (Cal. Civ. Code §§ 1798.29, 1798.82) – http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.82
Illinois (815 ILCS §§ 530/1 to 530/25) – http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act
Texas (Tex. Bus. & Com. Code §§ 521.002, 521.053) – https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm#521.002
Arizona (Ariz. Rev. Stat. § 18-545) – https://www.azleg.gov/viewDocument/?docName=http://www.azleg.gov/ars/18/00545.htm
Pennsylvania (73 Pa. Stat. §§ 2301 et seq) – https://govt.westlaw.com/pac/Browse/Home/Pennsylvania/UnofficialPurdonsPennsylvaniaStatutes?guid=N9B3F41908C4F11DA86FC8D90DD1949D4&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)