Companies would just add the cost of the punishment into the cost of the ransom, re-evaluate the risk, and probably decide to just keep doing what they're doing.
The problem is not that companies are paying ransoms. The problem is that companies who operate infrastructures of national importance and who collect sensitive data about us are loosing control of said infrastructures and data. If paying ransoms is part of the discussion, we're already in a very sorry state. Legal action should be focused first-and-foremost on preventing that loss of control.
First we need to decide what is important enough that we should legally require companies to protect it. Certain data or services may require special licenses, depending on scale and importance.
Then we need to decide on how to evaluate whether or not the company has provided sufficient protection and what the punishment should be for failing to provide sufficient protection.
Then we need to establish an government organization of white-hat hackers who are charged with evaluating the protection measures implemented by companies - much like how a health inspector goes around evaluating the conditions of food service companies.
The problem is not that companies are paying ransoms. The problem is that companies who operate infrastructures of national importance and who collect sensitive data about us are loosing control of said infrastructures and data. If paying ransoms is part of the discussion, we're already in a very sorry state. Legal action should be focused first-and-foremost on preventing that loss of control.
First we need to decide what is important enough that we should legally require companies to protect it. Certain data or services may require special licenses, depending on scale and importance.
Then we need to decide on how to evaluate whether or not the company has provided sufficient protection and what the punishment should be for failing to provide sufficient protection.
Then we need to establish an government organization of white-hat hackers who are charged with evaluating the protection measures implemented by companies - much like how a health inspector goes around evaluating the conditions of food service companies.