September 25, 2022

Volume XII, Number 268

Advertisement

September 23, 2022

Subscribe to Latest Legal News and Analysis

September 22, 2022

Subscribe to Latest Legal News and Analysis

Florida Enacts Law Prohibiting State Agencies from Paying Cyber Ransoms

The amendments, enacted as HB 7055, require state agencies and local governments to report ransomware incidents to the state’s Cybersecurity Operations Center (“CSOC”), the Cybercrime Office of the Department of Law Enforcement and local sheriff no later than 12 hours after discovery. The Act previously required reporting of certain cybersecurity incidents affecting state agencies, and the amendments expressly add ransomware to the relevant reporting obligations. Reports to the state CSOC must include, at a minimum, the following details:

  • a factual summary of the incident;

  • the date on which the affected agency or local government most recently backed up its data, the physical location of that backup, whether the backup was affected, and whether the backup was cloud-based;

  • the types of data compromised by the incident; 

  • the estimated fiscal impact of the incident; and

  • details of the ransom demanded, if any.

The amendments also impose a severity classification scheme for security incidents, with severity levels ranging one to five, based on the Department of Homeland Security’s National Cyber Incident Response Plan. The Act defines “incident” broadly as “a violation or imminent threat of violation, whether . . . accidental or deliberate, of information technology resources, security, policies, or practices.” In addition to the 12-hour reporting obligation for ransomware incidents, if a state agency discovers that it has experienced another type of incident at level three or greater, it must also notify Florida’s CSOC and the Cyber Crime Office within 48 hours.  

Additionally, the amended Act prohibits state agencies, counties and municipalities from paying or otherwise complying with a ransom demand. 

We previously blogged about a similar law in North Carolina, enacted in April 2022, that likewise prohibits state government entities from paying cyber ransoms.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 207
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement