HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 1 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to cybersecurity; amending s. 252.351, 2
F.S.; requiring a list of reportable incidents 3
maintained by the Division of Emergency Management to 4
include cybersecurity incidents and ransomware 5
incidents; requiring a political subdivision to repor t 6
cybersecurity incidents and ransomware incidents to 7
the State Watch Office; amending s. 282.0041, F.S.; 8
providing definitions; amending s. 282.318, F.S.; 9
requiring the Department of Management Services, 10
acting through the Florida Digital Service, to deve lop 11
and publish guidelines and processes for reporting 12
cybersecurity incidents to certain entities; requiring 13
a state agency to report certain information following 14
a cybersecurity or ransomware incident; requiring the 15
department, acting through the Florid a Digital 16
Service, to develop and publish guidelines for the 17
submission of after-action reports, provide annual 18
cybersecurity training to certain persons, and provide 19
after-action reports to the Florida Cybersecurity 20
Advisory Council on a monthly basis; re quiring state 21
agency heads to annually provide cybersecurity 22
awareness training to certain persons and report 23
cybersecurity incidents, ransomware incidents, and 24
cybersecurity breaches to specified entities; 25
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 2 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
requiring ransomware incidents to be reported wit hin a 26
certain period; requiring state agency heads to submit 27
certain after-action reports to the Florida Digital 28
Service; creating s. 282.3185, F.S.; providing a short 29
title; providing a definition; requiring the Florida 30
Digital Service to develop certain cybersecurity 31
training curriculum; requiring certain persons to 32
complete certain training within a specified period 33
and annually thereafter; authorizing the Florida 34
Digital Service to provide certain training in 35
collaboration with certain entities; requiri ng certain 36
local governments to adopt certain cybersecurity 37
standards by specified dates; requiring a local 38
government to provide certain notification to the 39
Florida Digital Service; requiring a local government 40
to notify the State Watch Office and sheriff of a 41
cybersecurity incident or ransomware incident; 42
providing notification requirements; requiring the 43
office to immediately forward certain information to 44
the Cybersecurity Operations Center and the Cybercrime 45
Office of the Department of Law Enforcement; 46
authorizing the Cybersecurity Operations Center and 47
the Cybercrime Office to provide certain support to a 48
local government; requiring the Cybersecurity 49
Operations Center to provide certain information to 50
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 3 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
the Florida Cybersecurity Advisory Council; requiri ng 51
a local government to submit to the Florida Digital 52
Service an after-action report containing certain 53
information; requiring the Florida Digital Service to 54
provide after-action reports to the council on a 55
monthly basis; requiring the Florida Digital Ser vice 56
to establish certain guidelines by a specified date; 57
creating s. 282.3186, F.S.; prohibiting certain 58
entities from paying or otherwise complying with a 59
ransom demand; amending s. 282.319, F.S.; revising the 60
purpose of the Florida Cybersecurity Advisor y Council 61
to include advising counties and municipalities on 62
cybersecurity; requiring the council to meet at least 63
quarterly to review certain information and develop 64
and make certain recommendations; requiring the 65
council to annually submit to the Governo r and the 66
Legislature a certain ransomware incident report 67
beginning on a specified date; providing requirements 68
for the report; providing a definition; creating s. 69
815.062, F.S.; providing a definition; providing 70
criminal penalties; requiring a person con victed of 71
certain offenses to pay a certain fine; requiring 72
deposit of certain moneys in the General Revenue Fund; 73
providing a legislative finding and declaration of an 74
important state interest; providing an effective date. 75
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 4 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
76
Be It Enacted by the Legisl ature of the State of Florida: 77
78
Section 1. Subsection (3) of section 252.351, Florida 79
Statutes, is amended, and paragraphs (l) and (m) are added to 80
subsection (2) of that section, to read: 81
252.351 Mandatory reporting of certain incidents by 82
political subdivisions.— 83
(2) The division shall create and maintain a list of 84
reportable incidents. The list shall include, but is not limited 85
to, the following events: 86
(l) Cybersecurity incidents as those terms are defined in 87
s. 282.0041. 88
(m) Ransomware inci dents as defined in s. 282.0041. 89
(3)(a) As soon as practicable following its initial 90
response to an incident, a political subdivision shall provide 91
notification to the office that an incident specified on the 92
list of reportable incidents has occurred wit hin its 93
geographical boundaries. 94
(b) The division may establish guidelines specifying the 95
method and format a political subdivision must use when 96
reporting an incident. 97
(c) A political subdivision must report a cybersecurity 98
incident or ransomware inci dent to the office pursuant to s. 99
282.3185. 100
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 5 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Section 2. Subsections (24) through (27) and (28) through 101
(37) of section 282.0041, Florida Statutes, are renumbered as 102
subsections (25) through (28) and (30) through (39), 103
respectively, and new subsections ( 24) and (29) are added to 104
that section to read: 105
282.0041 Definitions. —As used in this chapter, the term: 106
(24) "Office" means the State Watch Office established 107
within the Division of Emergency Management pursuant to s. 108
14.2016. 109
(29) "Ransomware incid ent" means a malicious cybersecurity 110
incident in which a person or entity introduces software that 111
encrypts, modifies, or otherwise renders unavailable a state 112
agency's, county's, or municipality's data and thereafter the 113
person or entity demands a ransom to restore access to the data 114
or otherwise remediate the impact of the software. 115
Section 3. Paragraphs (c) and (g) of subsection (3) and 116
paragraphs (i) and (j) of subsection (4) of section 282.318, 117
Florida Statutes, are amended, and paragraph (j) is added to 118
subsection (3) and paragraph (k) is added to subsection (4) of 119
that section, to read: 120
282.318 Cybersecurity. — 121
(3) The department, acting through the Florida Digital 122
Service, is the lead entity responsible for establishing 123
standards and process es for assessing state agency cybersecurity 124
risks and determining appropriate security measures. Such 125
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 6 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
standards and processes must be consistent with generally 126
accepted technology best practices, including the National 127
Institute for Standards and Technolog y Cybersecurity Framework, 128
for cybersecurity. The department, acting through the Florida 129
Digital Service, shall adopt rules that mitigate risks; 130
safeguard state agency digital assets, data, information, and 131
information technology resources to ensure availa bility, 132
confidentiality, and integrity; and support a security 133
governance framework. The department, acting through the Florida 134
Digital Service, shall also: 135
(c) Develop and publish for use by state agencies a 136
cybersecurity governance framework that, at a minimum, includes 137
guidelines and processes for: 138
1. Establishing asset management procedures to ensure that 139
an agency's information technology resources are identified and 140
managed consistent with their relative importance to the 141
agency's business objecti ves. 142
2. Using a standard risk assessment methodology that 143
includes the identification of an agency's priorities, 144
constraints, risk tolerances, and assumptions necessary to 145
support operational risk decisions. 146
3. Completing comprehensive risk assessments and 147
cybersecurity audits, which may be completed by a private sector 148
vendor, and submitting completed assessments and audits to the 149
department. 150
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 7 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
4. Identifying protection procedures to manage the 151
protection of an agency's information, data, and informati on 152
technology resources. 153
5. Establishing procedures for accessing information and 154
data to ensure the confidentiality, integrity, and availability 155
of such information and data. 156
6. Detecting threats through proactive monitoring of 157
events, continuous secu rity monitoring, and defined detection 158
processes. 159
7. Establishing agency cybersecurity incident response 160
teams and describing their responsibilities for responding to 161
cybersecurity incidents, including breaches of personal 162
information containing confiden tial or exempt data. 163
8. Recovering information and data in response to a 164
cybersecurity incident. The recovery may include recommended 165
improvements to the agency processes, policies, or guidelines. 166
9. Establishing a cybersecurity incident reporting proc ess 167
that includes procedures and tiered reporting timeframes for 168
notifying the department , and the Department of Law Enforcement , 169
the President of the Senate, and the Speaker of the House of 170
Representatives of cybersecurity incidents. The tiered reporting 171
timeframes shall be based upon the level of severity of the 172
cybersecurity incidents being reported. The cybersecurity 173
incident reporting process shall specify the information that 174
must be reported by a state agency following a cybersecurity 175
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 8 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
incident or ransomware incident, which, at a minimum, must 176
include the following: 177
a. A summary of the events surrounding the cybersecurity 178
incident or ransomware incident. 179
b. The date on which the state agency most recently backed 180
up its data, the physical location o f the backup, and whether 181
the backup was created using cloud computing. 182
c. The types of data compromised by the cybersecurity 183
incident or ransomware incident. 184
d. The estimated fiscal impact of the cybersecurity 185
incident or ransomware incident. 186
e. In the case of a ransomware incident, the ransom 187
demanded. 188
10. Incorporating information obtained through detection 189
and response activities into the agency's cybersecurity incident 190
response plans. 191
11. Developing agency strategic and operational 192
cybersecurity plans required pursuant to this section. 193
12. Establishing the managerial, operational, and 194
technical safeguards for protecting state government data and 195
information technology resources that align with the state 196
agency risk management strategy and th at protect the 197
confidentiality, integrity, and availability of information and 198
data. 199
13. Establishing procedures for procuring information 200
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 9 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
technology commodities and services that require the commodity 201
or service to meet the National Institute of Standar ds and 202
Technology Cybersecurity Framework. 203
14. Submitting after -action reports following a 204
cybersecurity incident or ransomware incident pursuant to 205
subsection (4). 206
(g) Annually provide cybersecurity training to all state 207
agency technology professional s and employees with access to 208
highly sensitive information which that develops, assesses, and 209
documents competencies by role and skill level. The training may 210
be provided in collaboration with the Cybercrime Office of the 211
Department of Law Enforcement, a private sector entity, or an 212
institution of the State University System. 213
(j) Provide any after -action reports received pursuant to 214
this section to the Florida Cybersecurity Advisory Council on a 215
monthly basis. 216
(4) Each state agency head shall, at a min imum: 217
(i) Provide cybersecurity awareness training to all state 218
agency employees within in the first 30 days after commencing 219
employment, and annually thereafter, concerning cybersecurity 220
risks and the responsibility of employees to comply with 221
policies, standards, guidelines, and operating procedures 222
adopted by the state agency to reduce those risks. The training 223
may be provided in collaboration with the Cybercrime Office of 224
the Department of Law Enforcement, a private sector entity, or 225
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 10 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
an institution of the State University System. 226
(j) Develop a process for detecting, reporting, and 227
responding to threats, breaches, or cybersecurity incidents 228
which is consistent with the security rules, guidelines, and 229
processes established by the department through the Florida 230
Digital Service. 231
1. All cybersecurity incidents , ransomware incidents, and 232
breaches must be reported by state agencies to the Florida 233
Digital Service within the department , and the Cybercrime Office 234
of the Department of Law Enforcement , the President of the 235
Senate, and the Speaker of the House of Representatives and such 236
reports must comply with the notification procedures and 237
reporting timeframes established pursuant to paragraph (3)(c). 238
However, a ransomware incident must be reported within 12 hours 239
after the state agency discovers the incident. 240
2. For cybersecurity breaches, state agencies shall 241
provide notice in accordance with s. 501.171. 242
(k) Submit to the Florida Digital Service at the 243
conclusion of a cybersecurity incident or ransomware incident an 244
after-action report that summarizes the incident, the incident's 245
resolution, and any insights gained as a result of the incident. 246
Section 4. Section 282.3185, Florida Statutes, is created 247
to read: 248
282.3185 Local government cybersecurity. — 249
(1) SHORT TITLE.—This section may be cited as the "Local 250
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 11 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Government Cybersecurity Act." 251
(2) DEFINITION.—As used in this section, the term "local 252
government" means any county or municipality. 253
(3) CYBERSECURITY TRAINING. —The Florida Digital Service: 254
(a) Shall develop a basic cybersecurity practices training 255
curriculum for local government employees. All local government 256
employees with access to the local government's network must 257
complete the basic cybersecurity training within 30 days after 258
commencing employment and annually thereafter. 259
(b) Shall develop an advanced cybersecurity training 260
curriculum for local governments which is consistent with the 261
cybersecurity training required under s. 282.318(3)(g). All 262
local government technology professiona ls and employees with 263
access to highly sensitive information must complete the 264
advanced cybersecurity training within 30 days after commencing 265
employment and annually thereafter. 266
(c) May provide the cybersecurity training required by 267
this subsection in collaboration with the Cybercrime Office of 268
the Department of Law Enforcement, a private sector entity, or 269
an institution of the State University System. 270
(4) CYBERSECURITY STANDARDS. — 271
(a) Each local government shall adopt cybersecurity 272
standards that safeguard its data, information technology, and 273
information technology resources to ensure availability, 274
confidentiality, and integrity. The standards must be consistent 275
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 12 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
with generally accepted best practices for cybersecurity, 276
including the National Instit ute of Standards and Technology 277
Cybersecurity Framework. 278
(b) Each county with a population of 75,000 or more must 279
adopt the cybersecurity standards required by this subsection by 280
January 1, 2024. Each county with a population of fewer than 281
75,000 must adopt the cybersecurity standards required by this 282
subsection by January 1, 2025. 283
(c) Each municipality with a population of 25,000 or more 284
must adopt the cybersecurity standards required by this 285
subsection by January 1, 2024. Each municipality with a 286
population of fewer than 25,000 must adopt the cybersecurity 287
standards required by this subsection by January 1, 2025. 288
(d) Each local government shall notify the Florida Digital 289
Service of its compliance with this subsection as soon as 290
practicable. 291
(5) INCIDENT NOTIFICATION.— 292
(a) A local government shall provide notification of a 293
cybersecurity incident or ransomware incident to the office 294
pursuant to s. 252.351 and to the sheriff who has jurisdiction 295
over the local government. The notification must includ e, at a 296
minimum, the following information: 297
1. A summary of the events surrounding the cybersecurity 298
incident or ransomware incident. 299
2. The date on which the local government most recently 300
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 13 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
backed up its data, the physical location of the backup, and 301
whether the backup was created using cloud computing. 302
3. The types of data compromised by the cybersecurity 303
incident or ransomware incident. 304
4. The estimated fiscal impact of the cybersecurity 305
incident or ransomware incident. 306
5. In the case of a ranso mware incident, the ransom 307
demanded. 308
(b) Notification must be provided as soon as practicable 309
but no later than: 310
1. Forty-eight hours after a local government discovers a 311
cybersecurity incident. 312
2. Twelve hours after a local government discovers a 313
ransomware incident. 314
(c) The office shall immediately forward all cybersecurity 315
incident and ransomware incident information to the 316
Cybersecurity Operations Center operated and maintained pursuant 317
to s. 282.318(3)(h) and the Cybercrime Office of the Depart ment 318
of Law Enforcement. The Cybersecurity Operations Center and the 319
Cybercrime Office shall review the reported information and may 320
provide support to the local government in its response to the 321
cybersecurity incident or ransomware incident. The Cybersecu rity 322
Operations Center shall provide all information received 323
relating to the cybersecurity incident or ransomware incident to 324
the Florida Cybersecurity Advisory Council. 325
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 14 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(6) AFTER-ACTION REPORT.—After a cybersecurity incident or 326
ransomware incident has concluded, the reporting local 327
government shall submit an after -action report to the Florida 328
Digital Service that summarizes the incident, the incident's 329
resolution, and any insights gained as a result of the incident. 330
The Florida Digital Service shall pro vide all after-action 331
reports to the Florida Cybersecurity Advisory Council on a 332
monthly basis. By December 1, 2022, the Florida Digital Service 333
shall establish guidelines specifying the method and format for 334
submitting an after-action report. 335
Section 5. Section 282.3186, Florida Statutes, is created 336
to read: 337
282.3186 Ransomware incident compliance. —A state agency as 338
defined in s. 282.318(2), a county, or a municipality 339
experiencing a ransomware incident may not pay or otherwise 340
comply with a ransom d emand. 341
Section 6. Subsections (2) of section 282.319, Florida 342
Statutes, is amended, paragraphs (g) and (h) are added to 343
subsection (9), and subsections (12) and (13) are added to that 344
section, to read: 345
282.319 Florida Cybersecurity Advisory Council. — 346
(2) The purpose of the council is to : 347
(a) Assist state agencies in protecting their information 348
technology resources from cybersecurity cyber threats and 349
incidents. 350
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 15 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(b) Advise counties and municipalities on cybersecurity, 351
including cybersecurity thr eats, trends, and best practices. 352
(9) The council shall meet at least quarterly to: 353
(g) Review information relating to cybersecurity incidents 354
and ransomware incidents to determine commonalities and develop 355
best practice recommendations for state agenc ies, counties, and 356
municipalities. 357
(h) Recommend any additional information that a county or 358
municipality should report to the office as part of its 359
cybersecurity incident or ransomware incident notification 360
pursuant to ss. 252.351 and 282.3185. 361
(12) Beginning December 1, 2022, and each December 1 362
thereafter, the council shall submit to the Governor, the 363
President of the Senate, and the Speaker of the House of 364
Representatives a comprehensive report that includes data, 365
trends, analysis, findings, and rec ommendations for state and 366
local action regarding ransomware incidents. At a minimum, the 367
report must include: 368
(a) Descriptive statistics including the amount of ransom 369
requested, duration of the incident, and overall monetary cost 370
to taxpayers of the in cident. 371
(b) A detailed statistical analysis of the circumstances 372
that led to the ransomware incident, including breadth of 373
employee training and frequency of data backup. 374
(c) Specific issues identified with current policies, 375
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 16 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
procedures, rules, or statu tes and recommendations to address 376
such issues. 377
(d) Any other recommendations to prevent ransomware 378
incidents. 379
(13) For purposes of this section, the term "state agency" 380
has the same meaning as provided in s. 282.318(2). 381
Section 7. Section 815.062, Florida Statutes, is created 382
to read: 383
815.062 Offenses against governmental entities. — 384
(1) As used in this section the term "governmental entity" 385
means any official, officer, commission, board, authority, 386
council, committee, or department of the execu tive, judicial, or 387
legislative branch of state government; any state university; 388
and any county or municipality, special district, water 389
management district, or other political subdivision of the 390
state. 391
(2) A person who willfully, knowingly, and without 392
authorization introduces a computer contaminant that encrypts, 393
modifies, or otherwise renders unavailable data, programs, or 394
supporting documentation residing or existing within a computer, 395
computer system, computer network, or electronic device owned or 396
operated by a governmental entity and demands a ransom to 397
restore access to the data, programs, or supporting 398
documentation or otherwise remediate the impact of the computer 399
contaminant commits a felony of the first degree, punishable as 400
HB 7055 2022
CODING: Words stricken are deletions; words underlined are additions.
hb7055-00
Page 17 of 17
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
provided in s. 775.082, s. 775.083, or s. 775.084. 401
(3) An employee or contractor of a governmental entity 402
with access to the governmental entity's network who willfully 403
and knowingly aids or abets another in the commission of a 404
violation of subsection (2) commits a felony of the first 405
degree, punishable as provided in s. 775.082, s. 775.083, or s. 406
775.084. 407
(4) In addition to any other penalty imposed, a person 408
convicted of a violation of this section must pay a fine equal 409
to twice the amount of the ransom demand. Moneys r ecovered under 410
this subsection shall be deposited into the General Revenue 411
Fund. 412
Section 8. The Legislature finds and declares that this 413
act fulfills an important state interest. 414
Section 9. This act shall take effect July 1, 2022. 415