The law addresses ransomware primarily through various cybersecurity, data protection, and cybercrime regulations. In the U.S., federal laws like the Computer Fraud and Abuse Act (CFAA) criminalize unauthorized access and fraud related to computer systems, which includes ransomware attacks. The Health Insurance Portability and Accountability Act (HIPAA) mandates breach notification and sets penalties up to $1.5 million per year for violations involving protected health information. The California Consumer Privacy Act (CCPA) allows consumers to sue businesses for unauthorized data breaches, imposing statutory damages of $100 to $750 per incident. State laws often impose reporting requirements and penalties specific to ransomware. Paying ransom demands is generally not illegal by itself under U.S. law, but payments could violate financial sanctions if funds go to sanctioned entities, and due diligence is legally advised. Laws related to terrorism financing and money laundering may apply if ransom money supports illegal activities. Not reporting ransomware incidents or failing to protect sensitive data can lead to lawsuits, regulatory penalties, breach of contract claims, and fines from agencies like the FTC and SEC. Organizations must comply with federal, state, and industry-specific reporting protocols, often involving prompt notification to regulators and affected individuals. In the U.K., paying ransom isn't per se illegal, but such payments may breach financial sanctions or anti-terrorism laws. Careful due diligence and legal advice are urged before making any payments. The U.K.'s National Cyber Security Centre (NCSC) advises against paying ransoms due to the risks involved. Overall, ransomware laws focus on prevention, incident reporting, protecting sensitive data, and prosecuting cybercriminal acts. Organizations impacted by ransomware face complex legal obligations to notify authorities, protect data, and avoid unlawful financial transactions with attackers, under threat of substantial penalties and litigation.