By John M. Janousek, Esquire – Roper, P.A.
CS/HB 7055 (“Cybersecurity Bill” or “Bill”) is a recent Florida bill passed by both the Florida House and Senate unanimously, which will become effective July 1, 2022, subject to the Governor’s veto powers.
Among other things, the Bill creates Section 282.3185, Florida Statutes, titled “Local Government Cybersecurity Act”, which imposes several requirements on Florida counties and municipalities in responding to cybersecurity and ransomware incidents.
This article provides a summary of certain of those requirements.
Prohibition on Paying / Complying with Ransomware Demands
First, the Act creates Section 282.3186, Florida Statutes, which states: “A state agency as defined in s. 282.318(2), a county, or a municipality experiencing a ransomware incident may not pay or otherwise comply with a ransom demand.” 1
As such, in the event a Florida county or municipality experiences a ransomware incident, the Act prohibits such
entity from paying or otherwise complying with the ransom demanded.
The Act also imposes upon local governments certain reporting requirements regarding cybersecurity and ransomware incidents. Specifically, a local government shall report all ransomware incidents and certain cybersecurity incidents to (1) the Cybersecurity Operations Center, (2) the Cybercrime Office of the Department of Law Enforcement, and (3) the sheriff having jurisdiction over the local government. Such report must be made as soon as possible but no later than 48 hours after discovery of a cybersecurity incident and no later than 12 hours after discovery or a ransomware incident.
Regarding cybersecurity incidents, a local government is required to report any cybersecurity incident it deems to be of severity level 3, 4, or 5, as provided in FLA. STAT. § 282.318(3)(c), which is itself significantly revised the Cybersecurity Bill. Specifically, the newly revised Section 282.318(3) (c) sets forth five (5) levels of severity for a cybersecurity incident. Such levels are defined by the National Cyber Incident Response Plan of the U.S. Department of Homeland Security, as follows:
- Level 1 is a low-level incident that is unlikely to impact public health or safety; national, state, or local security; economic security; civil liberties; or public confidence;
- Level 2 is a medium-level incident that may impact public health or safety; national, state, or local security; economic security; civil liberties; or public confidence;
- Level 3 is a high-level incident that is likely to result in demonstrable impact in the affected jurisdiction to public health or safety; national, state, or local security; economic security; civil liberties; or public confidence;
- Level 4 is a severe-level incident that is likely to result in a significant impact in the affected jurisdiction to public health or safety; national, state, or local security; economic security; or civil liberties; and
- Level 5 is an emergency-level incident within the specified jurisdiction that poses an immediate threat to the provision of wide-scale critical infrastructure services; national, state, or local government security; or the lives of the country’s, state’s, or local government’s residents.
As noted, pursuant to the Act, a local government is required to report any cybersecurity incident it deems to be of severity level 3, 4, or 5. A local government may report a cybersecurity incident that it determines to be of severity level 1 or 2.
For any report by a local government of a ransomware or cybersecurity incident, the local government must include, at a minimum, the following:
- A summary of the facts surrounding the cybersecurity incident or ransomware incident;
- The date on which the local government most recently backed up its data, the physical location of the backup (if the backup was affected), and if the backup was created using cloud computing;
- The types of data compromised by the cybersecurity or ransomware incident;
- The estimated fiscal impact of the cybersecurity or ransomware incident;
- The details of the ransom demanded, in the case of a ransomware incident; and
- A statement requesting or declining assistance from the Cybersecurity Operations Center, the Cybercrime Office of the Department of Law Enforcement, or the local sheriff.
Finally, the Act also imposes an “after-action report” requirement, such that the local government must submit to the Florida Digital Service, 2 within 1 week after the remediation of a cybersecurity or ransomware incident, a report that summarizes the incident, the incident’s resolution, and any insights gained as a result of the incident.
The Florida Digital Service shall establish guidelines and processes for submission of these reports by December 1, 2022.
The Act also requires all local government employees with access to the local government’s network to complete certain basic cybersecurity training within thirty (30) days after commencing employment and annually thereafter.
Similarly, it requires all local government technology professionals and employees with access to highly sensitive information to complete an advanced cybersecurity training within thirty (30) days after commencing employment and annually thereafter.
Both the basic cybersecurity training and the advanced cybersecurity training are to be developed by the Florida Digital Service.
The Act also requires each local government to adopt cybersecurity standards that safeguard the local government’s data, information technology, and information technology resources to ensure availability, confidentiality, and integrity. Such standards must be consistent with generally accepted best practices for cybersecurity, including the National Institute of Standards and Technology Cybersecurity Framework.
Each county with a population of 75,000 or more, and each municipality with a population of 25,000 or more, must adopt such cybersecurity standards by January 1, 2024. Each county with a population of less than 75,000, and each municipality with a population of less than 25,000, must adopt such cybersecurity standards by January 1, 2025. Each local government must notify the Florida Digital Service once it has complied with this adoption requirement.
Given these requirements, counties and municipalities should work with their respective I.T. professionals on adopting appropriate cybersecurity standards, so as to comply with the Act.
Finally, the Bill creates Section 815.062, Florida States, which criminalizes certain ransomware incidents. Specifically, a person who willfully, knowingly, and without authorization engages in a ransomware incident against a governmental entity, including a county or municipality, commits a first degree felony.
An employee or contractor of a governmental entity with access to the governmental entity’s network who willfully and knowingly aids or abets another in the commission of such ransomware incident also commits a first degree felony.
In addition to other penalties, a person convicted of any of the above offenses must pay a fine equal to twice the amount of the ransom demand. Said funds are deposited into the General Revenue Fund.
1 The Bill defines the term “ransomware incident” as “a malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to or encrypts, modifies, or otherwise renders unavailable a state agency’s, county’s, or municipality’s data and thereafter the person or entity demands a ransom to prevent the publication of the data, restore access to the data, or otherwise remediate the impact of the software.”
2 A The Florida Digital Service is a service within the Florida Department of Management Services whose purposes include, inter alia, providing operational management and oversight of the state data center, including developing and implementing a process for detecting, reporting, and responding to cybersecurity incidents, breaches, and threats, in collaboration with the Department of Law Enforcement.
John Janousek was admitted to the Florida Bar in 2012 and is admitted to practice before the United States District Courts for the Middle and Southern Districts of Florida, and the United States Court of Appeals for the Eleventh Circuit. Mr. Janousek received his Bachelor of Arts, majoring in Philosophy, cum laude, from the University of Florida in 2008 and his J.D., cum laude, from the University of Florida Levin College of Law in 2012. While in law school, Mr. Janousek served as the Senior Research Editor for the Florida Law Review. He was awarded the Outstanding Candidate Award and the Outstanding Associate Editor Award. He also earned book awards for both Law Review and Antitrust. Prior to joining Roper, P.A., Mr. Janousek served as a law clerk to the Honorable Maurice M. Paul, Senior United States District Judge, in the United States District Court for the Northern District of Florida. He also worked in private practice, defending clients in federal and state civil matters in such areas as products liability, personal injury, and malpractice liability.
Mr. Janousek practices primarily in the areas of civil rights, employment law, public entity law, and insurance coverage.
For more information regarding the Cybersecurity Bill and its requirements, please do not hesitate to contact the undersigned counsel.
John M. Janousek, Esq. – Roper, P.A. | 2707 East Jefferson Street Orlando, FL 32803 |Ph: 407-897-5150 | Email: [email protected]