When an organization, business or law firm experiences a random ransomware attack, all challenges must be addressed with a certain level of urgency. From quickly restoring affected data systems to purging a digital perpetrator from your company’s network environment, businesses must tackle all these moving parts, while also factoring in the everchanging obligations of their state’s cybersecurity laws and regulations. As of July 1, 2022, all Florida state agencies and local governments are now subject to a newly amended set of both cybersecurity and ransomware requirements under the Florida State Cybersecurity Act (the Cybersecurity Act). Joining North Carolina as the second state to pass such legislation, Florida’s Cybersecurity Act will establish penalties and financial fines for individuals who prompt or participate in a ransomware attack against any government entity, as well as prohibit the payment of ransom demands.
The Cybersecurity Act defines a ransomware incident as “any malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to or encrypts, modifies or otherwise renders unavailable a state agency’s, county’s or municipality’s data and thereafter the person or entity demands a ransom to prevent the publication of the data, restore access to the data or otherwise remediate the impact of the software.”
In addition to addressing the increased issue of ransomware, the Cybersecurity Act also imposes a near impossible level of notification requirements for state, county and local government entities to keep up with, leaving some legal experts speculating over the wide scope of the amendments and how effective they will be in the future. Forthcoming guidelines are expected to be released soon, which will highlight the proper processes to follow when recovering or cataloging data, conducting risk assessments, filing an incident report and updated cybersecurity training standards.
Following a ransomware attack, all agencies are required to notify the Florida Cybersecurity Operations Center (FCOS) as well as the Cybercrime Office of the Department of Law Enforcement within 12 hours of discovery. During more severe, high-level cybersecurity incidents, an after-action report is required to be expedited to both the President of the Florida Senate and Speaker of the Florida House of Representatives, summarizing the key points of the breach. Despite the amendment’s recent success, Florida state lawmakers plan to adopt new guidelines to be incorporated over the next two years.
The success of the Cybersecurity Act comes months after Governor Ron DeSantis announced the allocation of $20 million in funding towards the creation of more cybersecurity and IT training opportunities across the state. “Expanding Florida’s commitment to creating opportunities in cybersecurity and IT is a top priority to keep our communities safe and our state secure. This funding will not only create opportunities for Floridians seeking jobs in this important field but will also improve our national defense, protect Floridians and their businesses and maintain the integrity of our elections. By doubling available opportunities in this field, Florida continues to lead,” stated DeSantis in a recent press release.
Although North Carolina was the first state to ratify similar litigation, lawmakers believe that Florida is only the next in a greater trend. Currently, there are cybersecurity and ransomware-related bills pending in Arizona, New York, Pennsylvania and Texas, as well as a series of federal bills recently introduced in Congress. For Floridians working in state or local government sectors, the options available to combat ransomware incidents now is likely to be different in the coming months, while the state builds a long term plan for enhanced cybersecurity. If the Cybersecurity Act and other pending bills are any indication of the future ahead, the scope of this newly amended legislation could span much farther than just accessing government data.
