I have seen decades of "legislate from the hip" laws making computer security situations worse, but this one hits a new low.
Ransomware is already illegal in most places. But Maryland has decided it isn't enough (probably because Baltimore, with it's abysmally stupid storage policies and systems, keeps getting hit), and with Senate Bill 30, has decided that mere possession of ransomware is an offence punishable by ten years in jail.
Now, remember, ransomware is usually malware. So, if you get hit, somewhere on your system there is likely to be a copy of the malware. So, if you are a victim, in Maryland you are probably also a criminal.
Oh, there's also a weak attempt to protect legitimate researchers who are trying to protect against malware, but a) it prevents researchers from actually telling people about the risks (or fixes), and b) gives the bad guys an out to claim that they are actually just researchers.
Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413
This message may or may not be governed by the terms of http://www.noticebored.com/html/cisspforumfaq.html#Friday or https://blogs.securiteam.com/index.php/archives/1468
@Steve-Wilme@rslade So at the end of the day, ensure one is fully authorised to carry out security testing, to access the affected systems and to carry out investigations. The same goes for researchers as well - they should have authorisation and a legitimate reason in order to protect themselves. This type of legislation has been in enforce in other countries for many years.
One could also argue the victims are criminals - on the basis, of not protecting their systems in accordance with best practices or investing the appropriate controls to reduce the likelihood of it occurring.
On that basis, the cyber security insurance policy they have would then be null and void, as the clients will be deemed to be criminals. So no pay out in support for becoming a victim?