FL
Florida House Bill H7055

Florida 2022 Regular Session

Florida House Bill H7055 Compare Versions

OldNewDifferences
11
2-ENROLLED
3-CS/HB 7055 2022 Legislature
2+
3+CS/HB 7055 2022
44
55
66
77 CODING: Words stricken are deletions; words underlined are additions.
8-hb7055-02-er
8+hb7055-01-c1
99 Page 1 of 20
1010 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1111
1212
1313
14- 1
14+A bill to be entitled 1
1515 An act relating to cybersecurity; amending s. 2
1616 282.0041, F.S.; providing and revising definitions; 3
1717 amending s. 282.318, F.S.; requiring the Department of 4
1818 Management Services, acting through the Florida 5
1919 Digital Service, to develop and publish guidelines and 6
2020 processes for reporting cybersecurity incidents; 7
2121 requiring state agencies to report ransomware 8
2222 incidents and certain cybersecurity incidents to 9
2323 certain entities within specified timeframes; 10
2424 requiring the Cybersecurity Operations Center to 11
2525 provide certain notifications to the Legislature 12
2626 within a specified timeframe; requiring the 13
2727 Cybersecurity Operations Center to quarterly provide 14
2828 certain reports to the Legislature and the Florida 15
2929 Cybersecurity Advisory Council; requiring the 16
3030 department, acting through the Florida Digital 17
3131 Service, to develop and publish guidelines and 18
3232 processes by a specified date for submitting after -19
3333 action reports and annually provide cybersecurity 20
3434 training to certain persons; requiring state agency 21
3535 heads to annually provide cybersecurity awareness 22
3636 training to certain persons; requiring state agencies 23
3737 to report cybersecurity incidents and ransomware 24
3838 incidents in compliance with certain procedures and 25
39-ENROLLED
40-CS/HB 7055 2022 Legislature
39+
40+CS/HB 7055 2022
4141
4242
4343
4444 CODING: Words stricken are deletions; words underlined are additions.
45-hb7055-02-er
45+hb7055-01-c1
4646 Page 2 of 20
4747 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
4848
4949
5050
5151 timeframes; requiring state agency heads to submit 26
5252 certain after-action reports to the Flo rida Digital 27
5353 Service within a specified timeframe; creating s. 28
5454 282.3185, F.S.; providing a short title; providing a 29
5555 definition; requiring the Florida Digital Service to 30
5656 develop certain cybersecurity training curricula; 31
5757 requiring certain persons to complete certain 32
5858 cybersecurity training within a specified timeframe 33
5959 and annually thereafter; authorizing the Florida 34
6060 Digital Service to provide certain training in 35
6161 collaboration with certain entities; requiring certain 36
6262 local governments to adopt certain cybersecu rity 37
6363 standards by specified dates; requiring local 38
6464 governments to provide certain notification to the 39
6565 Florida Digital Service and certain entities; 40
6666 providing notification requirements; requiring local 41
6767 governments to report ransomware incidents and certain 42
6868 cybersecurity incidents to certain entities within 43
6969 specified timeframes; requiring the Cybersecurity 44
7070 Operations Center to provide certain notification to 45
7171 the Legislature within a specified timeframe; 46
7272 authorizing local governments to report certain 47
7373 cybersecurity incidents to certain entities; requiring 48
7474 the Cybersecurity Operations Center to quarterly 49
7575 provide certain reports to the Legislature and the 50
76-ENROLLED
77-CS/HB 7055 2022 Legislature
76+
77+CS/HB 7055 2022
7878
7979
8080
8181 CODING: Words stricken are deletions; words underlined are additions.
82-hb7055-02-er
82+hb7055-01-c1
8383 Page 3 of 20
8484 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
8585
8686
8787
8888 Florida Cybersecurity Advisory Council; requiring 51
8989 local governments to submit after -action reports 52
9090 containing certain information to the Florida Digital 53
9191 Service within a specified timeframe; requiring the 54
9292 Florida Digital Service to establish certain 55
9393 guidelines and processes by a specified date; creating 56
9494 s. 282.3186, F.S.; prohibiting certain entities from 57
9595 paying or otherwise complying with a ransom demand; 58
9696 amending s. 282.319, F.S.; revising the purpose of the 59
9797 Florida Cybersecurity Advisory Council to include 60
9898 advising counties and municipalities on cybersecurity; 61
9999 requiring the council to meet at least quarterly to 62
100100 review certain information and develop and make 63
101101 certain recommendations; requiring the council to 64
102102 annually submit to the Governor and the Legislature a 65
103103 certain ransomware incident report beginning on a 66
104104 specified date; providing requirements for the report ; 67
105105 providing a definition; creating s. 815.062, F.S.; 68
106106 providing a definition; providing criminal penalties; 69
107107 requiring a person convicted of certain offenses to 70
108108 pay a certain fine; requiring deposit of certain 71
109109 moneys in the General Revenue Fund; providing a 72
110110 legislative finding and declaration of an important 73
111111 state interest; providing an effective date. 74
112112 75
113-ENROLLED
114-CS/HB 7055 2022 Legislature
113+
114+CS/HB 7055 2022
115115
116116
117117
118118 CODING: Words stricken are deletions; words underlined are additions.
119-hb7055-02-er
119+hb7055-01-c1
120120 Page 4 of 20
121121 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
122122
123123
124124
125125 Be It Enacted by the Legislature of the State of Florida: 76
126126 77
127127 Section 1. Subsections (28) through (37) of section 78
128128 282.0041, Florida Statutes, are renumbe red as subsections (29) 79
129129 through (38), respectively, subsection (19) is amended, and a 80
130130 new subsection (28) is added to that section, to read: 81
131131 282.0041 Definitions. —As used in this chapter, the term: 82
132132 (19) "Incident" means a violation or imminent threat o f 83
133133 violation, whether such violation is accidental or deliberate, 84
134134 of information technology resources, security, policies, or 85
135135 practices. An imminent threat of violation refers to a situation 86
136136 in which a the state agency, county, or municipality has a 87
137137 factual basis for believing that a specific incident is about to 88
138138 occur. 89
139139 (28) "Ransomware incident" means a malicious cybersecurity 90
140140 incident in which a person or entity introduces software that 91
141141 gains unauthorized access to or encrypts, modifies, or otherwise 92
142142 renders unavailable a state agency's, county's, or 93
143143 municipality's data and thereafter the person or entity demands 94
144144 a ransom to prevent the publication of the data, restore access 95
145145 to the data, or otherwise remediate the impact of the software. 96
146146 Section 2. Paragraphs (c) and (g) of subsection (3) and 97
147147 paragraphs (i) and (j) of subsection (4) of section 282.318, 98
148148 Florida Statutes, are amended, and paragraph (k) is added to 99
149149 subsection (4) of that section, to read: 100
150-ENROLLED
151-CS/HB 7055 2022 Legislature
150+
151+CS/HB 7055 2022
152152
153153
154154
155155 CODING: Words stricken are deletions; words underlined are additions.
156-hb7055-02-er
156+hb7055-01-c1
157157 Page 5 of 20
158158 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
159159
160160
161161
162162 282.318 Cybersecurity. — 101
163163 (3) The department, a cting through the Florida Digital 102
164164 Service, is the lead entity responsible for establishing 103
165165 standards and processes for assessing state agency cybersecurity 104
166166 risks and determining appropriate security measures. Such 105
167167 standards and processes must be consistent with generally 106
168168 accepted technology best practices, including the National 107
169169 Institute for Standards and Technology Cybersecurity Framework, 108
170170 for cybersecurity. The department, acting through the Florida 109
171171 Digital Service, shall adopt rules that mitigate risks; 110
172172 safeguard state agency digital assets, data, information, and 111
173173 information technology resources to ensure availability, 112
174174 confidentiality, and integrity; and support a security 113
175175 governance framework. The department, acting through the Florida 114
176176 Digital Service, shall also: 115
177177 (c) Develop and publish for use by state agencies a 116
178178 cybersecurity governance framework that, at a minimum, includes 117
179179 guidelines and processes for: 118
180180 1. Establishing asset management procedures to ensure that 119
181181 an agency's information technology resources are identified and 120
182182 managed consistent with their relative importance to the 121
183183 agency's business objectives. 122
184184 2. Using a standard risk assessment methodology that 123
185185 includes the identification of an agency's priorities, 124
186186 constraints, risk tolerances, and assumptions necessary to 125
187-ENROLLED
188-CS/HB 7055 2022 Legislature
187+
188+CS/HB 7055 2022
189189
190190
191191
192192 CODING: Words stricken are deletions; words underlined are additions.
193-hb7055-02-er
193+hb7055-01-c1
194194 Page 6 of 20
195195 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
196196
197197
198198
199199 support operational risk decisions. 126
200200 3. Completing comprehensive risk assessments and 127
201201 cybersecurity audits, which may be completed by a private sector 128
202202 vendor, and submitting completed assessments and audits to the 129
203203 department. 130
204204 4. Identifying protection procedures to manage the 131
205205 protection of an agency's information, data, and information 132
206206 technology resources. 133
207207 5. Establishing procedures for accessing information and 134
208208 data to ensure the confidentiality, integrity, and availability 135
209209 of such information and data. 136
210210 6. Detecting threats through proactive monitoring of 137
211211 events, continuous security monitoring, and defined detection 138
212212 processes. 139
213213 7. Establishing agency cybersecurity incident response 140
214214 teams and describing their r esponsibilities for responding to 141
215215 cybersecurity incidents, including breaches of personal 142
216216 information containing confidential or exempt data. 143
217217 8. Recovering information and data in response to a 144
218218 cybersecurity incident. The recovery may include recommended 145
219219 improvements to the agency processes, policies, or guidelines. 146
220220 9. Establishing a cybersecurity incident reporting process 147
221221 that includes procedures and tiered reporting timeframes for 148
222222 notifying the department and the Department of Law Enforcement 149
223223 of cybersecurity incidents. The tiered reporting timeframes 150
224-ENROLLED
225-CS/HB 7055 2022 Legislature
224+
225+CS/HB 7055 2022
226226
227227
228228
229229 CODING: Words stricken are deletions; words underlined are additions.
230-hb7055-02-er
230+hb7055-01-c1
231231 Page 7 of 20
232232 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
233233
234234
235235
236236 shall be based upon the level of severity of the cybersecurity 151
237237 incidents being reported. 152
238238 a. The level of severity of the cybersecurity incident is 153
239239 defined by the National Cyber Incident Response Plan o f the 154
240240 United States Department of Homeland Security as follows: 155
241241 (I) Level 5 is an emergency -level incident within the 156
242242 specified jurisdiction that poses an imminent threat to the 157
243243 provision of wide-scale critical infrastructure services; 158
244244 national, state, or local government security; or the lives of 159
245245 the country's, state's, or local government's residents. 160
246246 (II) Level 4 is a severe -level incident that is likely to 161
247247 result in a significant impact in the affected jurisdiction to 162
248248 public health or safety; nation al, state, or local security; 163
249249 economic security; or civil liberties. 164
250250 (III) Level 3 is a high -level incident that is likely to 165
251251 result in a demonstrable impact in the affected jurisdiction to 166
252252 public health or safety; national, state, or local security; 167
253253 economic security; civil liberties; or public confidence. 168
254254 (IV) Level 2 is a medium -level incident that may impact 169
255255 public health or safety; national, state, or local security; 170
256256 economic security; civil liberties; or public confidence. 171
257257 (V) Level 1 is a low -level incident that is unlikely to 172
258258 impact public health or safety; national, state, or local 173
259259 security; economic security; civil liberties; or public 174
260260 confidence. 175
261-ENROLLED
262-CS/HB 7055 2022 Legislature
261+
262+CS/HB 7055 2022
263263
264264
265265
266266 CODING: Words stricken are deletions; words underlined are additions.
267-hb7055-02-er
267+hb7055-01-c1
268268 Page 8 of 20
269269 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
270270
271271
272272
273273 b. The cybersecurity incident reporting process must 176
274274 specify the information that must be repo rted by a state agency 177
275275 following a cybersecurity incident or ransomware incident, 178
276276 which, at a minimum, must include the following: 179
277277 (I) A summary of the facts surrounding the cybersecurity 180
278278 incident or ransomware incident. 181
279279 (II) The date on which the stat e agency most recently 182
280280 backed up its data, the physical location of the backup, if the 183
281281 backup was affected, and if the backup was created using cloud 184
282282 computing. 185
283283 (III) The types of data compromised by the cybersecurity 186
284284 incident or ransomware incident. 187
285285 (IV) The estimated fiscal impact of the cybersecurity 188
286286 incident or ransomware incident. 189
287287 (V) In the case of a ransomware incident, the details of 190
288288 the ransom demanded. 191
289289 c.(I) A state agency shall report all ransomware incidents 192
290290 and any cybersecurity inciden t determined by the state agency to 193
291291 be of severity level 3, 4, or 5 to the Cybersecurity Operations 194
292292 Center and the Cybercrime Office of the Department of Law 195
293293 Enforcement as soon as possible but no later than 48 hours after 196
294294 discovery of the cybersecurity in cident and no later than 12 197
295295 hours after discovery of the ransomware incident. The report 198
296296 must contain the information required in sub -subparagraph b. 199
297297 (II) The Cybersecurity Operations Center shall notify the 200
298-ENROLLED
299-CS/HB 7055 2022 Legislature
298+
299+CS/HB 7055 2022
300300
301301
302302
303303 CODING: Words stricken are deletions; words underlined are additions.
304-hb7055-02-er
304+hb7055-01-c1
305305 Page 9 of 20
306306 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
307307
308308
309309
310310 President of the Senate and the Speaker of the House of 201
311311 Representatives of any severity level 3, 4, or 5 incident as 202
312312 soon as possible but no later than 12 hours after receiving a 203
313313 state agency's incident report. The notification must include a 204
314314 high-level description of the incident and the likely effec ts. 205
315315 d. A state agency shall report a cybersecurity incident 206
316316 determined by the state agency to be of severity level 1 or 2 to 207
317317 the Cybersecurity Operations Center and the Cybercrime Office of 208
318318 the Department of Law Enforcement as soon as possible. The 209
319319 report must contain the information required in sub -subparagraph 210
320320 b. 211
321321 e. The Cybersecurity Operations Center shall provide a 212
322322 consolidated incident report on a quarterly basis to the 213
323323 President of the Senate, the Speaker of the House of 214
324324 Representatives, and the F lorida Cybersecurity Advisory Council. 215
325325 The report provided to the Florida Cybersecurity Advisory 216
326326 Council may not contain the name of any agency, network 217
327327 information, or system identifying information but must contain 218
328328 sufficient relevant information to allo w the Florida 219
329329 Cybersecurity Advisory Council to fulfill its responsibilities 220
330330 as required in s. 282.319(9). 221
331331 10. Incorporating information obtained through detection 222
332332 and response activities into the agency's cybersecurity incident 223
333333 response plans. 224
334334 11. Developing agency strategic and operational 225
335-ENROLLED
336-CS/HB 7055 2022 Legislature
335+
336+CS/HB 7055 2022
337337
338338
339339
340340 CODING: Words stricken are deletions; words underlined are additions.
341-hb7055-02-er
341+hb7055-01-c1
342342 Page 10 of 20
343343 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
344344
345345
346346
347347 cybersecurity plans required pursuant to this section. 226
348348 12. Establishing the managerial, operational, and 227
349349 technical safeguards for protecting state government data and 228
350350 information technology resources that align wi th the state 229
351351 agency risk management strategy and that protect the 230
352352 confidentiality, integrity, and availability of information and 231
353353 data. 232
354354 13. Establishing procedures for procuring information 233
355355 technology commodities and services that require the commodity 234
356356 or service to meet the National Institute of Standards and 235
357357 Technology Cybersecurity Framework. 236
358358 14. Submitting after -action reports following a 237
359359 cybersecurity incident or ransomware incident. Such guidelines 238
360360 and processes for submitting after -action reports must be 239
361361 developed and published by December 1, 2022. 240
362362 (g) Annually provide cybersecurity training to all state 241
363363 agency technology professionals and employees with access to 242
364364 highly sensitive information which that develops, assesses, and 243
365365 documents competencies by role and skill level. The 244
366366 cybersecurity training curriculum must include training on the 245
367367 identification of each cybersecurity incident severity level 246
368368 referenced in sub-subparagraph (c)9.a. The training may be 247
369369 provided in collaboration with the Cybe rcrime Office of the 248
370370 Department of Law Enforcement, a private sector entity, or an 249
371371 institution of the State University System. 250
372-ENROLLED
373-CS/HB 7055 2022 Legislature
372+
373+CS/HB 7055 2022
374374
375375
376376
377377 CODING: Words stricken are deletions; words underlined are additions.
378-hb7055-02-er
378+hb7055-01-c1
379379 Page 11 of 20
380380 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
381381
382382
383383
384384 (4) Each state agency head shall, at a minimum: 251
385385 (i) Provide cybersecurity awareness training to all state 252
386386 agency employees within in the first 30 days after commencing 253
387387 employment, and annually thereafter, concerning cybersecurity 254
388388 risks and the responsibility of employees to comply with 255
389389 policies, standards, guidelines, and operating procedures 256
390390 adopted by the state agency to reduc e those risks. The training 257
391391 may be provided in collaboration with the Cybercrime Office of 258
392392 the Department of Law Enforcement, a private sector entity, or 259
393393 an institution of the State University System. 260
394394 (j) Develop a process for detecting, reporting, and 261
395395 responding to threats, breaches, or cybersecurity incidents 262
396396 which is consistent with the security rules, guidelines, and 263
397397 processes established by the department through the Florida 264
398398 Digital Service. 265
399399 1. All cybersecurity incidents and ransomware incidents 266
400400 breaches must be reported by state agencies. Such reports to the 267
401401 Florida Digital Service within the department and the Cybercrime 268
402402 Office of the Department of Law Enforcement and must comply with 269
403403 the notification procedures and reporting timeframes establis hed 270
404404 pursuant to paragraph (3)(c). 271
405405 2. For cybersecurity breaches, state agencies shall 272
406406 provide notice in accordance with s. 501.171. 273
407407 (k) Submit to the Florida Digital Service, within 1 week 274
408408 after the remediation of a cybersecurity incident or ransomware 275
409-ENROLLED
410-CS/HB 7055 2022 Legislature
409+
410+CS/HB 7055 2022
411411
412412
413413
414414 CODING: Words stricken are deletions; words underlined are additions.
415-hb7055-02-er
415+hb7055-01-c1
416416 Page 12 of 20
417417 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
418418
419419
420420
421421 incident, an after-action report that summarizes the incident, 276
422422 the incident's resolution, and any insights gained as a result 277
423423 of the incident. 278
424424 Section 3. Section 282.3185, Florida Statutes, is created 279
425425 to read: 280
426426 282.3185 Local government cybersecurity .— 281
427427 (1) SHORT TITLE.—This section may be cited as the "Local 282
428428 Government Cybersecurity Act." 283
429429 (2) DEFINITION.—As used in this section, the term "local 284
430430 government" means any county or municipality. 285
431431 (3) CYBERSECURITY TRAINING. — 286
432432 (a) The Florida Digital Service shall: 287
433433 1. Develop a basic cybersecurity training curriculum for 288
434434 local government employees. All local government employees with 289
435435 access to the local government's network must complete the basic 290
436436 cybersecurity training within 30 days after commencin g 291
437437 employment and annually thereafter. 292
438438 2. Develop an advanced cybersecurity training curriculum 293
439439 for local governments which is consistent with the cybersecurity 294
440440 training required under s. 282.318(3)(g). All local government 295
441441 technology professionals and em ployees with access to highly 296
442442 sensitive information must complete the advanced cybersecurity 297
443443 training within 30 days after commencing employment and annually 298
444444 thereafter. 299
445445 (b) The Florida Digital Service may provide the 300
446-ENROLLED
447-CS/HB 7055 2022 Legislature
446+
447+CS/HB 7055 2022
448448
449449
450450
451451 CODING: Words stricken are deletions; words underlined are additions.
452-hb7055-02-er
452+hb7055-01-c1
453453 Page 13 of 20
454454 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
455455
456456
457457
458458 cybersecurity training required by t his subsection in 301
459459 collaboration with the Cybercrime Office of the Department of 302
460460 Law Enforcement, a private sector entity, or an institution of 303
461461 the State University System. 304
462462 (4) CYBERSECURITY STANDARDS. — 305
463463 (a) Each local government shall adopt cybersecurit y 306
464464 standards that safeguard its data, information technology, and 307
465465 information technology resources to ensure availability, 308
466466 confidentiality, and integrity. The cybersecurity standards must 309
467467 be consistent with generally accepted best practices for 310
468468 cybersecurity, including the National Institute of Standards and 311
469469 Technology Cybersecurity Framework. 312
470470 (b) Each county with a population of 75,000 or more must 313
471471 adopt the cybersecurity standards required by this subsection by 314
472472 January 1, 2024. Each county with a populat ion of less than 315
473473 75,000 must adopt the cybersecurity standards required by this 316
474474 subsection by January 1, 2025. 317
475475 (c) Each municipality with a population of 25,000 or more 318
476476 must adopt the cybersecurity standards required by this 319
477477 subsection by January 1, 2024 . Each municipality with a 320
478478 population of less than 25,000 must adopt the cybersecurity 321
479479 standards required by this subsection by January 1, 2025. 322
480480 (d) Each local government shall notify the Florida Digital 323
481481 Service of its compliance with this subsection as soon as 324
482482 possible. 325
483-ENROLLED
484-CS/HB 7055 2022 Legislature
483+
484+CS/HB 7055 2022
485485
486486
487487
488488 CODING: Words stricken are deletions; words underlined are additions.
489-hb7055-02-er
489+hb7055-01-c1
490490 Page 14 of 20
491491 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
492492
493493
494494
495495 (5) INCIDENT NOTIFICATION. — 326
496496 (a) A local government shall provide notification of a 327
497497 cybersecurity incident or ransomware incident to the 328
498498 Cybersecurity Operations Center, Cybercrime Office of the 329
499499 Department of Law Enforcement, and sheri ff who has jurisdiction 330
500500 over the local government in accordance with paragraph (b). The 331
501501 notification must include, at a minimum, the following 332
502502 information: 333
503503 1. A summary of the facts surrounding the cybersecurity 334
504504 incident or ransomware incident. 335
505505 2. The date on which the local government most recently 336
506506 backed up its data, the physical location of the backup, if the 337
507507 backup was affected, and if the backup was created using cloud 338
508508 computing. 339
509509 3. The types of data compromised by the cybersecurity 340
510510 incident or ransomware incident. 341
511511 4. The estimated fiscal impact of the cybersecurity 342
512512 incident or ransomware incident. 343
513513 5. In the case of a ransomware incident, the details of 344
514514 the ransom demanded. 345
515515 6. A statement requesting or declining assistance from the 346
516516 Cybersecurity Operations Center, the Cybercrime Office of the 347
517517 Department of Law Enforcement, or the sheriff who has 348
518518 jurisdiction over the local government. 349
519519 (b)1. A local government shall report all ransomware 350
520-ENROLLED
521-CS/HB 7055 2022 Legislature
520+
521+CS/HB 7055 2022
522522
523523
524524
525525 CODING: Words stricken are deletions; words underlined are additions.
526-hb7055-02-er
526+hb7055-01-c1
527527 Page 15 of 20
528528 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
529529
530530
531531
532532 incidents and any cybersecurity incident determined by the local 351
533533 government to be of severity level 3, 4, or 5 as provided in s. 352
534534 282.318(3)(c) to the Cybersecurity Operations Center, the 353
535535 Cybercrime Office of the Department of Law Enforcement, and the 354
536536 sheriff who has jurisdiction over the local government as s oon 355
537537 as possible but no later than 48 hours after discovery of the 356
538538 cybersecurity incident and no later than 12 hours after 357
539539 discovery of the ransomware incident. The report must contain 358
540540 the information required in paragraph (a). 359
541541 2. The Cybersecurity Operat ions Center shall notify the 360
542542 President of the Senate and the Speaker of the House of 361
543543 Representatives of any severity level 3, 4, or 5 incident as 362
544544 soon as possible but no later than 12 hours after receiving a 363
545545 local government's incident report. The notifica tion must 364
546546 include a high-level description of the incident and the likely 365
547547 effects. 366
548548 (c) A local government may report a cybersecurity incident 367
549549 determined by the local government to be of severity level 1 or 368
550550 2 as provided in s. 282.318(3)(c) to the Cyberse curity 369
551551 Operations Center, the Cybercrime Office of the Department of 370
552552 Law Enforcement, and the sheriff who has jurisdiction over the 371
553553 local government. The report shall contain the information 372
554554 required in paragraph (a). 373
555555 (d) The Cybersecurity Operations Center shall provide a 374
556556 consolidated incident report on a quarterly basis to the 375
557-ENROLLED
558-CS/HB 7055 2022 Legislature
557+
558+CS/HB 7055 2022
559559
560560
561561
562562 CODING: Words stricken are deletions; words underlined are additions.
563-hb7055-02-er
563+hb7055-01-c1
564564 Page 16 of 20
565565 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
566566
567567
568568
569569 President of the Senate, the Speaker of the House of 376
570570 Representatives, and the Florida Cybersecurity Advisory Council. 377
571571 The report provided to t he Florida Cybersecurity Advisory 378
572572 Council may not contain the name of any local government, 379
573573 network information, or system identifying information but must 380
574574 contain sufficient relevant information to allow the Florida 381
575575 Cybersecurity Advisory Council to fulfi ll its responsibilities 382
576576 as required in s. 282.319(9). 383
577577 (6) AFTER-ACTION REPORT.—A local government must submit to 384
578578 the Florida Digital Service, within 1 week after the remediation 385
579579 of a cybersecurity incident or ransomware incident, an after -386
580580 action report that summarizes the incident, the incident's 387
581581 resolution, and any insights gained as a result of the incident. 388
582582 By December 1, 2022, the Florida Digital Service shall establish 389
583583 guidelines and processes for submitting an after -action report. 390
584584 Section 4. Section 282.3186, Florida Statutes, is created 391
585585 to read: 392
586586 282.3186 Ransomware incident compliance. —A state agency as 393
587587 defined in s. 282.318(2), a county, or a municipality 394
588588 experiencing a ransomware incident may not pay or otherwise 395
589589 comply with a ransom demand. 396
590590 Section 5. Subsections (2) of section 282.319, Florida 397
591591 Statutes, is amended, paragraphs (g) and (h) are added to 398
592592 subsection (9), and subsections (12) and (13) are added to that 399
593593 section, to read: 400
594-ENROLLED
595-CS/HB 7055 2022 Legislature
594+
595+CS/HB 7055 2022
596596
597597
598598
599599 CODING: Words stricken are deletions; words underlined are additions.
600-hb7055-02-er
600+hb7055-01-c1
601601 Page 17 of 20
602602 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
603603
604604
605605
606606 282.319 Florida Cybersecurity Advisory Council. — 401
607607 (2) The purpose of the council is to : 402
608608 (a) Assist state agencies in protecting their information 403
609609 technology resources from cybersecurity cyber threats and 404
610610 incidents. 405
611611 (b) Advise counties and municipalities on cybersecurity, 406
612612 including cybersecurity threats, trends, and best practices. 407
613613 (9) The council shall meet at least quarterly to: 408
614614 (g) Review information relating to cybersecurity incidents 409
615615 and ransomware incidents to determine commonalities and develop 410
616616 best practice recommendations for state agencies, c ounties, and 411
617617 municipalities. 412
618618 (h) Recommend any additional information that a county or 413
619619 municipality should report to the Florida Digital Service as 414
620620 part of its cybersecurity incident or ransomware incident 415
621621 notification pursuant to s. 282.3185. 416
622622 (12) Beginning December 1, 2022, and each December 1 417
623623 thereafter, the council shall submit to the Governor, the 418
624624 President of the Senate, and the Speaker of the House of 419
625625 Representatives a comprehensive report that includes data, 420
626626 trends, analysis, findings, and recom mendations for state and 421
627627 local action regarding ransomware incidents. At a minimum, the 422
628628 report must include: 423
629629 (a) Descriptive statistics including the amount of ransom 424
630630 requested, duration of the ransomware incident, and overall 425
631-ENROLLED
632-CS/HB 7055 2022 Legislature
631+
632+CS/HB 7055 2022
633633
634634
635635
636636 CODING: Words stricken are deletions; words underlined are additions.
637-hb7055-02-er
637+hb7055-01-c1
638638 Page 18 of 20
639639 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
640640
641641
642642
643643 monetary cost to taxpayers of the ransomware incident. 426
644644 (b) A detailed statistical analysis of the circumstances 427
645645 that led to the ransomware incident which does not include the 428
646646 name of the state agency, county, or municipality; network 429
647647 information; or system identifying information. 430
648648 (c) A detailed statistical analysis of the level of 431
649649 cybersecurity employee training and frequency of data backup for 432
650650 the state agency, county, or municipality that reported the 433
651651 ransomware incident. 434
652652 (d) Specific issues identified with current policies, 435
653653 procedures, rules, or statutes and recommendations to address 436
654654 such issues. 437
655655 (e) Any other recommendations to prevent ransomware 438
656656 incidents. 439
657657 (13) For purposes of this section, the term "state agency" 440
658658 has the same meaning as provided in s. 282.318(2). 441
659659 Section 6. Section 815.062, Florida Statutes, is created 442
660660 to read: 443
661661 815.062 Offenses against governmental entities. — 444
662662 (1) As used in this section, the term "governmental 445
663663 entity" means any official, officer, commission, board, 446
664664 authority, council, committe e, or department of the executive, 447
665665 judicial, or legislative branch of state government; any state 448
666666 university; or any county or municipality, special district, 449
667667 water management district, or other political subdivision of the 450
668-ENROLLED
669-CS/HB 7055 2022 Legislature
668+
669+CS/HB 7055 2022
670670
671671
672672
673673 CODING: Words stricken are deletions; words underlined are additions.
674-hb7055-02-er
674+hb7055-01-c1
675675 Page 19 of 20
676676 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
677677
678678
679679
680680 state. 451
681681 (2) A person who willfu lly, knowingly, and without 452
682682 authorization introduces a computer contaminant that gains 453
683683 unauthorized access to, encrypts, modifies, or otherwise renders 454
684684 unavailable data, programs, or supporting documentation residing 455
685685 or existing within a computer, computer system, computer 456
686686 network, or electronic device owned or operated by a 457
687687 governmental entity and demands a ransom to prevent the 458
688688 publication of or restore access to the data, programs, or 459
689689 supporting documentation or to otherwise remediate the impact of 460
690690 the computer contaminant commits a felony of the first degree, 461
691691 punishable as provided in s. 775.082, s. 775.083, or s. 775.084. 462
692692 (3) An employee or contractor of a governmental entity 463
693693 with access to the governmental entity's network who willfully 464
694694 and knowingly aids or abets another in the commission of a 465
695695 violation of subsection (2) commits a felony of the first 466
696696 degree, punishable as provided in s. 775.082, s. 775.083, or s. 467
697697 775.084. 468
698698 (4) In addition to any other penalty imposed, a person 469
699699 convicted of a violati on of this section must pay a fine equal 470
700700 to twice the amount of the ransom demand. Moneys recovered under 471
701701 this subsection shall be deposited into the General Revenue 472
702702 Fund. 473
703703 Section 7. The Legislature finds and declares that this 474
704704 act fulfills an important state interest. 475
705-ENROLLED
706-CS/HB 7055 2022 Legislature
705+
706+CS/HB 7055 2022
707707
708708
709709
710710 CODING: Words stricken are deletions; words underlined are additions.
711-hb7055-02-er
711+hb7055-01-c1
712712 Page 20 of 20
713713 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
714714
715715
716716
717717 Section 8. This act shall take effect July 1, 2022. 476