ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 1 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1
An act relating to cybersecurity; amending s. 2
282.0041, F.S.; providing and revising definitions; 3
amending s. 282.318, F.S.; requiring the Department of 4
Management Services, acting through the Florida 5
Digital Service, to develop and publish guidelines and 6
processes for reporting cybersecurity incidents; 7
requiring state agencies to report ransomware 8
incidents and certain cybersecurity incidents to 9
certain entities within specified timeframes; 10
requiring the Cybersecurity Operations Center to 11
provide certain notifications to the Legislature 12
within a specified timeframe; requiring the 13
Cybersecurity Operations Center to quarterly provide 14
certain reports to the L egislature and the Florida 15
Cybersecurity Advisory Council; requiring the 16
department, acting through the Florida Digital 17
Service, to develop and publish guidelines and 18
processes by a specified date for submitting after -19
action reports and annually provide cy bersecurity 20
training to certain persons; requiring state agency 21
heads to annually provide cybersecurity awareness 22
training to certain persons; requiring state agencies 23
to report cybersecurity incidents and ransomware 24
incidents in compliance with certain pr ocedures and 25
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 2 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
timeframes; requiring state agency heads to submit 26
certain after-action reports to the Florida Digital 27
Service within a specified timeframe; creating s. 28
282.3185, F.S.; providing a short title; providing a 29
definition; requiring the Florida Dig ital Service to 30
develop certain cybersecurity training curricula; 31
requiring certain persons to complete certain 32
cybersecurity training within a specified timeframe 33
and annually thereafter; authorizing the Florida 34
Digital Service to provide certain training in 35
collaboration with certain entities; requiring certain 36
local governments to adopt certain cybersecurity 37
standards by specified dates; requiring local 38
governments to provide certain notification to the 39
Florida Digital Service and certain entities; 40
providing notification requirements; requiring local 41
governments to report ransomware incidents and certain 42
cybersecurity incidents to certain entities within 43
specified timeframes; requiring the Cybersecurity 44
Operations Center to provide certain notification to 45
the Legislature within a specified timeframe; 46
authorizing local governments to report certain 47
cybersecurity incidents to certain entities; requiring 48
the Cybersecurity Operations Center to quarterly 49
provide certain reports to the Legislature and the 50
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 3 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Florida Cybersecurity Advisory Council; requiring 51
local governments to submit after -action reports 52
containing certain information to the Florida Digital 53
Service within a specified timeframe; requiring the 54
Florida Digital Service to establish certain 55
guidelines and processes by a specified date; creating 56
s. 282.3186, F.S.; prohibiting certain entities from 57
paying or otherwise complying with a ransom demand; 58
amending s. 282.319, F.S.; revising the purpose of the 59
Florida Cybersecurity Advisory Council to include 60
advising counties and municipalities on cybersecurity; 61
requiring the council to meet at least quarterly to 62
review certain information and develop and make 63
certain recommendations; requiring the council to 64
annually submit to the Governor and the Legislature a 65
certain ransomware incident report beginning on a 66
specified date; providing requirements for the report; 67
providing a definition; creating s. 815.062, F.S.; 68
providing a definition; providing criminal penalties; 69
requiring a person convicted of certain offens es to 70
pay a certain fine; requiring deposit of certain 71
moneys in the General Revenue Fund; providing a 72
legislative finding and declaration of an important 73
state interest; providing an effective date. 74
75
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 4 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Be It Enacted by the Legislature of the State of Fl orida: 76
77
Section 1. Subsections (28) through (37) of section 78
282.0041, Florida Statutes, are renumbered as subsections (29) 79
through (38), respectively, subsection (19) is amended, and a 80
new subsection (28) is added to that section, to read: 81
282.0041 Definitions.—As used in this chapter, the term: 82
(19) "Incident" means a violation or imminent threat of 83
violation, whether such violation is accidental or deliberate, 84
of information technology resources, security, policies, or 85
practices. An imminent threa t of violation refers to a situation 86
in which a the state agency, county, or municipality has a 87
factual basis for believing that a specific incident is about to 88
occur. 89
(28) "Ransomware incident" means a malicious cybersecurity 90
incident in which a person or entity introduces software that 91
gains unauthorized access to or encrypts, modifies, or otherwise 92
renders unavailable a state agency's, county's, or 93
municipality's data and thereafter the person or entity demands 94
a ransom to prevent the publication of th e data, restore access 95
to the data, or otherwise remediate the impact of the software. 96
Section 2. Paragraphs (c) and (g) of subsection (3) and 97
paragraphs (i) and (j) of subsection (4) of section 282.318, 98
Florida Statutes, are amended, and paragraph (k) is added to 99
subsection (4) of that section, to read: 100
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 5 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
282.318 Cybersecurity. — 101
(3) The department, acting through the Florida Digital 102
Service, is the lead entity responsible for establishing 103
standards and processes for assessing state agency cybersecuri ty 104
risks and determining appropriate security measures. Such 105
standards and processes must be consistent with generally 106
accepted technology best practices, including the National 107
Institute for Standards and Technology Cybersecurity Framework, 108
for cybersecurity. The department, acting through the Florida 109
Digital Service, shall adopt rules that mitigate risks; 110
safeguard state agency digital assets, data, information, and 111
information technology resources to ensure availability, 112
confidentiality, and integrity; a nd support a security 113
governance framework. The department, acting through the Florida 114
Digital Service, shall also: 115
(c) Develop and publish for use by state agencies a 116
cybersecurity governance framework that, at a minimum, includes 117
guidelines and process es for: 118
1. Establishing asset management procedures to ensure that 119
an agency's information technology resources are identified and 120
managed consistent with their relative importance to the 121
agency's business objectives. 122
2. Using a standard risk assessmen t methodology that 123
includes the identification of an agency's priorities, 124
constraints, risk tolerances, and assumptions necessary to 125
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 6 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
support operational risk decisions. 126
3. Completing comprehensive risk assessments and 127
cybersecurity audits, which may be c ompleted by a private sector 128
vendor, and submitting completed assessments and audits to the 129
department. 130
4. Identifying protection procedures to manage the 131
protection of an agency's information, data, and information 132
technology resources. 133
5. Establishing procedures for accessing information and 134
data to ensure the confidentiality, integrity, and availability 135
of such information and data. 136
6. Detecting threats through proactive monitoring of 137
events, continuous security monitoring, and defin ed detection 138
processes. 139
7. Establishing agency cybersecurity incident response 140
teams and describing their responsibilities for responding to 141
cybersecurity incidents, including breaches of personal 142
information containing confidential or exempt data. 143
8. Recovering information and data in response to a 144
cybersecurity incident. The recovery may include recommended 145
improvements to the agency processes, policies, or guidelines. 146
9. Establishing a cybersecurity incident reporting process 147
that includes procedur es and tiered reporting timeframes for 148
notifying the department and the Department of Law Enforcement 149
of cybersecurity incidents. The tiered reporting timeframes 150
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 7 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
shall be based upon the level of severity of the cybersecurity 151
incidents being reported. 152
a. The level of severity of the cybersecurity incident is 153
defined by the National Cyber Incident Response Plan of the 154
United States Department of Homeland Security as follows: 155
(I) Level 5 is an emergency -level incident within the 156
specified jurisdiction that poses an imminent threat to the 157
provision of wide-scale critical infrastructure services; 158
national, state, or local government security; or the lives of 159
the country's, state's, or local government's residents. 160
(II) Level 4 is a severe -level incident that is likely to 161
result in a significant impact in the affected jurisdiction to 162
public health or safety; national, state, or local security; 163
economic security; or civil liberties. 164
(III) Level 3 is a high -level incident that is likely to 165
result in a demonstrable impact in the affected jurisdiction to 166
public health or safety; national, state, or local security; 167
economic security; civil liberties; or public confidence. 168
(IV) Level 2 is a medium -level incident that may impact 169
public health or safety; national, state, or local security; 170
economic security; civil liberties; or public confidence. 171
(V) Level 1 is a low -level incident that is unlikely to 172
impact public health or safety; national, state, or local 173
security; economic security; civil liberties; or public 174
confidence. 175
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 8 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
b. The cybersecurity incident reporting process must 176
specify the information that must be reported by a state agency 177
following a cybersecurity incident or ransomware incident, 178
which, at a minimum, must include the following: 179
(I) A summary of the facts surrounding the cybersecurity 180
incident or ransomware incident. 181
(II) The date on which the state agency most recently 182
backed up its data, the physical location of the backup, if the 183
backup was affected, and if the backup was created using clo ud 184
computing. 185
(III) The types of data compromised by the cybersecurity 186
incident or ransomware incident. 187
(IV) The estimated fiscal impact of the cybersecurity 188
incident or ransomware incident. 189
(V) In the case of a ransomware incident, the details of 190
the ransom demanded. 191
c.(I) A state agency shall report all ransomware incidents 192
and any cybersecurity incident determined by the state agency to 193
be of severity level 3, 4, or 5 to the Cybersecurity Operations 194
Center and the Cybercrime Office of the Departm ent of Law 195
Enforcement as soon as possible but no later than 48 hours after 196
discovery of the cybersecurity incident and no later than 12 197
hours after discovery of the ransomware incident. The report 198
must contain the information required in sub -subparagraph b. 199
(II) The Cybersecurity Operations Center shall notify the 200
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 9 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
President of the Senate and the Speaker of the House of 201
Representatives of any severity level 3, 4, or 5 incident as 202
soon as possible but no later than 12 hours after receiving a 203
state agency's incident report. The notification must include a 204
high-level description of the incident and the likely effects. 205
d. A state agency shall report a cybersecurity incident 206
determined by the state agency to be of severity level 1 or 2 to 207
the Cybersecurity Op erations Center and the Cybercrime Office of 208
the Department of Law Enforcement as soon as possible. The 209
report must contain the information required in sub -subparagraph 210
b. 211
e. The Cybersecurity Operations Center shall provide a 212
consolidated incident repor t on a quarterly basis to the 213
President of the Senate, the Speaker of the House of 214
Representatives, and the Florida Cybersecurity Advisory Council. 215
The report provided to the Florida Cybersecurity Advisory 216
Council may not contain the name of any agency, ne twork 217
information, or system identifying information but must contain 218
sufficient relevant information to allow the Florida 219
Cybersecurity Advisory Council to fulfill its responsibilities 220
as required in s. 282.319(9). 221
10. Incorporating information obtained through detection 222
and response activities into the agency's cybersecurity incident 223
response plans. 224
11. Developing agency strategic and operational 225
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 10 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
cybersecurity plans required pursuant to this section. 226
12. Establishing the managerial, operational, and 227
technical safeguards for protecting state government data and 228
information technology resources that align with the state 229
agency risk management strategy and that protect the 230
confidentiality, integrity, and availability of information and 231
data. 232
13. Establishing procedures for procuring information 233
technology commodities and services that require the commodity 234
or service to meet the National Institute of Standards and 235
Technology Cybersecurity Framework. 236
14. Submitting after -action reports following a 237
cybersecurity incident or ransomware incident. Such guidelines 238
and processes for submitting after -action reports must be 239
developed and published by December 1, 2022. 240
(g) Annually provide cybersecurity training to all state 241
agency technology professionals and employees with access to 242
highly sensitive information which that develops, assesses, and 243
documents competencies by role and skill level. The 244
cybersecurity training curriculum must include training on the 245
identification of each cybersecurity incident seve rity level 246
referenced in sub-subparagraph (c)9.a. The training may be 247
provided in collaboration with the Cybercrime Office of the 248
Department of Law Enforcement, a private sector entity, or an 249
institution of the State University System. 250
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 11 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(4) Each state agency head shall, at a minimum: 251
(i) Provide cybersecurity awareness training to all state 252
agency employees within in the first 30 days after commencing 253
employment, and annually thereafter, concerning cybersecurity 254
risks and the responsibility of employees to comply with 255
policies, standards, guidelines, and operating procedures 256
adopted by the state agency to reduce those risks. The training 257
may be provided in collaboration with the Cybercrime Office of 258
the Department of Law Enforcement, a private sector enti ty, or 259
an institution of the State University System. 260
(j) Develop a process for detecting, reporting, and 261
responding to threats, breaches, or cybersecurity incidents 262
which is consistent with the security rules, guidelines, and 263
processes established by the department through the Florida 264
Digital Service. 265
1. All cybersecurity incidents and ransomware incidents 266
breaches must be reported by state agencies. Such reports to the 267
Florida Digital Service within the department and the Cy bercrime 268
Office of the Department of Law Enforcement and must comply with 269
the notification procedures and reporting timeframes established 270
pursuant to paragraph (3)(c). 271
2. For cybersecurity breaches, state agencies shall 272
provide notice in accordance with s. 501.171. 273
(k) Submit to the Florida Digital Service, within 1 week 274
after the remediation of a cybersecurity incident or ransomware 275
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 12 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
incident, an after-action report that summarizes the incident, 276
the incident's resolution, and any insights gained as a r esult 277
of the incident. 278
Section 3. Section 282.3185, Florida Statutes, is created 279
to read: 280
282.3185 Local government cybersecurity. — 281
(1) SHORT TITLE.—This section may be cited as the "Local 282
Government Cybersecurity Act." 283
(2) DEFINITION.—As used in this section, the term "local 284
government" means any county or municipality. 285
(3) CYBERSECURITY TRAINING. — 286
(a) The Florida Digital Service shall: 287
1. Develop a basic cybersecurity training curriculum for 288
local government empl oyees. All local government employees with 289
access to the local government's network must complete the basic 290
cybersecurity training within 30 days after commencing 291
employment and annually thereafter. 292
2. Develop an advanced cybersecurity training curriculu m 293
for local governments which is consistent with the cybersecurity 294
training required under s. 282.318(3)(g). All local government 295
technology professionals and employees with access to highly 296
sensitive information must complete the advanced cybersecurity 297
training within 30 days after commencing employment and annually 298
thereafter. 299
(b) The Florida Digital Service may provide the 300
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 13 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
cybersecurity training required by this subsection in 301
collaboration with the Cybercrime Office of the Department of 302
Law Enforcement, a private sector entity, or an institution of 303
the State University System. 304
(4) CYBERSECURITY STANDARDS. — 305
(a) Each local government shall adopt cybersecurity 306
standards that safeguard its data, information technology, and 307
information technology resourc es to ensure availability, 308
confidentiality, and integrity. The cybersecurity standards must 309
be consistent with generally accepted best practices for 310
cybersecurity, including the National Institute of Standards and 311
Technology Cybersecurity Framework. 312
(b) Each county with a population of 75,000 or more must 313
adopt the cybersecurity standards required by this subsection by 314
January 1, 2024. Each county with a population of less than 315
75,000 must adopt the cybersecurity standards required by this 316
subsection by January 1, 2025. 317
(c) Each municipality with a population of 25,000 or more 318
must adopt the cybersecurity standards required by this 319
subsection by January 1, 2024. Each municipality with a 320
population of less than 25,000 must adopt the cybersecurity 321
standards required by this subsection by January 1, 2025. 322
(d) Each local government shall notify the Florida Digital 323
Service of its compliance with this subsection as soon as 324
possible. 325
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 14 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(5) INCIDENT NOTIFICATION. — 326
(a) A local government shall provide notifica tion of a 327
cybersecurity incident or ransomware incident to the 328
Cybersecurity Operations Center, Cybercrime Office of the 329
Department of Law Enforcement, and sheriff who has jurisdiction 330
over the local government in accordance with paragraph (b). The 331
notification must include, at a minimum, the following 332
information: 333
1. A summary of the facts surrounding the cybersecurity 334
incident or ransomware incident. 335
2. The date on which the local government most recently 336
backed up its data, the physical location of t he backup, if the 337
backup was affected, and if the backup was created using cloud 338
computing. 339
3. The types of data compromised by the cybersecurity 340
incident or ransomware incident. 341
4. The estimated fiscal impact of the cybersecurity 342
incident or ransomwar e incident. 343
5. In the case of a ransomware incident, the details of 344
the ransom demanded. 345
6. A statement requesting or declining assistance from the 346
Cybersecurity Operations Center, the Cybercrime Office of the 347
Department of Law Enforcement, or the sher iff who has 348
jurisdiction over the local government. 349
(b)1. A local government shall report all ransomware 350
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 15 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
incidents and any cybersecurity incident determined by the local 351
government to be of severity level 3, 4, or 5 as provided in s. 352
282.318(3)(c) to the Cybersecurity Operations Center, the 353
Cybercrime Office of the Department of Law Enforcement, and the 354
sheriff who has jurisdiction over the local government as soon 355
as possible but no later than 48 hours after discovery of the 356
cybersecurity incident and no later than 12 hours after 357
discovery of the ransomware incident. The report must contain 358
the information required in paragraph (a). 359
2. The Cybersecurity Operations Center shall notify the 360
President of the Senate and the Speaker of the House of 361
Representatives of any severity level 3, 4, or 5 incident as 362
soon as possible but no later than 12 hours after receiving a 363
local government's incident report. The notification must 364
include a high-level description of the incident and the likely 365
effects. 366
(c) A local government may report a cybersecurity incident 367
determined by the local government to be of severity level 1 or 368
2 as provided in s. 282.318(3)(c) to the Cybersecurity 369
Operations Center, the Cybercrime Office of the Department of 370
Law Enforcement, and the s heriff who has jurisdiction over the 371
local government. The report shall contain the information 372
required in paragraph (a). 373
(d) The Cybersecurity Operations Center shall provide a 374
consolidated incident report on a quarterly basis to the 375
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 16 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
President of the Senate, the Speaker of the House of 376
Representatives, and the Florida Cybersecurity Advisory Council. 377
The report provided to the Florida Cybersecurity Advisory 378
Council may not contain the name of any local government, 379
network information, o r system identifying information but must 380
contain sufficient relevant information to allow the Florida 381
Cybersecurity Advisory Council to fulfill its responsibilities 382
as required in s. 282.319(9). 383
(6) AFTER-ACTION REPORT.—A local government must submit to 384
the Florida Digital Service, within 1 week after the remediation 385
of a cybersecurity incident or ransomware incident, an after -386
action report that summarizes the incident, the incident's 387
resolution, and any insights gained as a result of the incident. 388
By December 1, 2022, the Florida Digital Service shall establish 389
guidelines and processes for submitting an after -action report. 390
Section 4. Section 282.3186, Florida Statutes, is created 391
to read: 392
282.3186 Ransomware incident compliance. —A state agency as 393
defined in s. 282.318(2), a county, or a municipality 394
experiencing a ransomware incident may not pay or otherwise 395
comply with a ransom demand. 396
Section 5. Subsections (2) of section 282.319, Florida 397
Statutes, is amended, paragraphs (g) and (h) are added to 398
subsection (9), and subsections (12) and (13) are added to that 399
section, to read: 400
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 17 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
282.319 Florida Cybersecurity Advisory Council. — 401
(2) The purpose of the council is to : 402
(a) Assist state agencies in protecting their information 403
technology resources from cybersecurity cyber threats and 404
incidents. 405
(b) Advise counties and municipalities on cybersecurity, 406
including cybersecurity threats, trends, and best practices. 407
(9) The council shall meet at least quarterly to: 408
(g) Review information relating to cybersecurity incidents 409
and ransomware incidents to determine commonalities and develop 410
best practice recommendations for state agencies, counties, and 411
municipalities. 412
(h) Recommend any additional information that a county or 413
municipality should repor t to the Florida Digital Service as 414
part of its cybersecurity incident or ransomware incident 415
notification pursuant to s. 282.3185. 416
(12) Beginning December 1, 2022, and each December 1 417
thereafter, the council shall submit to the Governor, the 418
President of the Senate, and the Speaker of the House of 419
Representatives a comprehensive report that includes data, 420
trends, analysis, findings, and recommendations for state and 421
local action regarding ransomware incidents. At a minimum, the 422
report must include: 423
(a) Descriptive statistics including the amount of ransom 424
requested, duration of the ransomware incident, and overall 425
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 18 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
monetary cost to taxpayers of the ransomware incident. 426
(b) A detailed statistical analysis of the circumstances 427
that led to the ransomware incident which does not include the 428
name of the state agency, county, or municipality; network 429
information; or system identifying information. 430
(c) A detailed statistical analysis of the level of 431
cybersecurity employee training and frequency of data backu p for 432
the state agency, county, or municipality that reported the 433
ransomware incident. 434
(d) Specific issues identified with current policies, 435
procedures, rules, or statutes and recommendations to address 436
such issues. 437
(e) Any other recommendations to pre vent ransomware 438
incidents. 439
(13) For purposes of this section, the term "state agency" 440
has the same meaning as provided in s. 282.318(2). 441
Section 6. Section 815.062, Florida Statutes, is created 442
to read: 443
815.062 Offenses against governmental entitie s.— 444
(1) As used in this section, the term "governmental 445
entity" means any official, officer, commission, board, 446
authority, council, committee, or department of the executive, 447
judicial, or legislative branch of state government; any state 448
university; or any county or municipality, special district, 449
water management district, or other political subdivision of the 450
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 19 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
state. 451
(2) A person who willfully, knowingly, and without 452
authorization introduces a computer contaminant that gains 453
unauthorized access to, enc rypts, modifies, or otherwise renders 454
unavailable data, programs, or supporting documentation residing 455
or existing within a computer, computer system, computer 456
network, or electronic device owned or operated by a 457
governmental entity and demands a ransom to prevent the 458
publication of or restore access to the data, programs, or 459
supporting documentation or to otherwise remediate the impact of 460
the computer contaminant commits a felony of the first degree, 461
punishable as provided in s. 775.082, s. 775.083, or s. 775.084. 462
(3) An employee or contractor of a governmental entity 463
with access to the governmental entity's network who willfully 464
and knowingly aids or abets another in the commission of a 465
violation of subsection (2) commits a felony of the first 466
degree, punishable as provided in s. 775.082, s. 775.083, or s. 467
775.084. 468
(4) In addition to any other penalty imposed, a person 469
convicted of a violation of this section must pay a fine equal 470
to twice the amount of the ransom demand. Moneys recovered under 471
this subsection shall be deposited into the General Revenue 472
Fund. 473
Section 7. The Legislature finds and declares that this 474
act fulfills an important state interest. 475
ENROLLED
CS/HB 7055 2022 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb7055-02-er
Page 20 of 20
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Section 8. This act shall take effect July 1, 2022. 476