Florida Enacts Law Prohibiting State Agencies from Paying Cyber Ransoms
The amendments, enacted as HB 7055, require state agencies and local governments to report ransomware incidents to the state’s Cybersecurity Operations Center (“CSOC”), the Cybercrime Office of the Department of Law Enforcement and local sheriff no later than 12 hours after discovery. The Act previously required reporting of certain cybersecurity incidents affecting state agencies, and the amendments expressly add ransomware to the relevant reporting obligations. Reports to the state CSOC must include, at a minimum, the following details:
a factual summary of the incident;
the date on which the affected agency or local government most recently backed up its data, the physical location of that backup, whether the backup was affected, and whether the backup was cloud-based;
the types of data compromised by the incident;
the estimated fiscal impact of the incident; and
details of the ransom demanded, if any.
The amendments also impose a severity classification scheme for security incidents, with severity levels ranging one to five, based on the Department of Homeland Security’s National Cyber Incident Response Plan. The Act defines “incident” broadly as “a violation or imminent threat of violation, whether . . . accidental or deliberate, of information technology resources, security, policies, or practices.” In addition to the 12-hour reporting obligation for ransomware incidents, if a state agency discovers that it has experienced another type of incident at level three or greater, it must also notify Florida’s CSOC and the Cyber Crime Office within 48 hours.
Additionally, the amended Act prohibits state agencies, counties and municipalities from paying or otherwise complying with a ransom demand.
We previously blogged about a similar law in North Carolina, enacted in April 2022, that likewise prohibits state government entities from paying cyber ransoms.