FL House Bill 7055 And What It Means For Your Cybersecurity

Florida’s governor, Ron Desantis, has increased government spending on tech and cybersecurity education and resources. With this focus on cybersecurity, the Florida Senate recently passed Bill 7055 speaking to new cybersecurity procedures. These amendments to Florida’s Cybersecurity Act came into effect on July 1, 2022. The bill’s biggest focus is on ransomware and how government agencies are to respond to a ransomware incident. According to the bill, “ ‘Ransomware incident’ means a malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to or encrypts, modifies, or otherwise, renders unavailable a state agency's, county's, or municipality's data and thereafter the person or entity demands a ransom to prevent the publication of the data, restore access to the data, or otherwise remediate the impact of the software.” These situations pose a major threat to sensitive data. They also put the agencies between a rock and a hard place. They either pay the ransom or take on the cost of exposing data and restoring the systems themselves. Hopefully, this new bill will mitigate the damages a ransomware incident can cause. With the increased spending on cybersecurity, it is hopeful that Florida’s government, at every level, will be more prepared for a cyber attack.

Bill Breakdown

Here is the breakdown of Bill 7055:

• Ransomware Incident Reporting: Since ransomware is now included in The Cybersecurity Act, government agencies must promptly report ransomware incidents. Specifically, when a ransomware attack occurs, agencies must send a report to Florida’s Cybersecurity Operations Center, the Cybercrime Office of the Department of Law Enforcement, and the local sheriff’s office within 12 hours. Agencies must also avoid paying the ransom demanded.
• Severity Levels: Cybersecurity threats now fall into new severity levels, ranging from 1 to 5. Notably, if the severity level exceeds 3, agencies must report the incident within 48 hours of discovery for general cybersecurity threats and within 12 hours for ransomware threats.
• Local Governments: This bill applies to state, county, and local government agencies, departments, and municipalities. Consequently, these entities must now adhere to the new reporting requirements and standards.
• Penalties: Moreover, felony charges of the first degree will be imposed on anyone who commits an act of ransomware. In addition, individuals convicted of this crime will face fines amounting to twice the ransom demanded.
• Cybersecurity Training: Training is now mandatory for all state agency technology professionals and employees with access to sensitive information. This training must cover identifying cybersecurity severity levels and occur within 30 days of onboarding a new employee, as well as annually thereafter.
• After-action Reports: After a cybersecurity or ransomware incident, an after-action report must be submitted. Agencies will develop and publish the procedures for these reports by December 1, 2022.

The Ransomware Report

The ransomware report itself is quite extensive. It must be submitted within 12 hours. It also must include the following:

• A summary of the incident
• The most recent date that data was backed
• The location of the backup
• If the backup was affected
• If the backup was created with cloud computing
• The type of data compromised
• The financial impact of the incident
• The details of the ransom being asked

What This Means

The increased budget and focus on cybersecurity are good for increasing safety measures and ensuring best practices for cybersecurity in government agencies. Bill 7055 speaks directly to government agencies, giving them new responsibilities around the issue. New responsibilities mean more work for the agencies. However, this work is imperative to the safety of our state. Government agencies now have the task of implementing new training, protecting their networks, developing an incident response plan, and responding to incidents properly. This is a lot to add to the mix. Since this bill includes each level of government, local government now bears the burden of implementing further training. Creating a curriculum, and training new staff in addition to annual training adds a lot of extra work hours. Cybersecurity insurance is expensive and not enough. According to Florida Today, insurance companies previously paid the ransom for attacks on government agencies. However, it's unclear if this practice will be allowed under the new bill. This can feel overwhelming, but that’s where we come in.

We Can Help

We understand the added workload this new bill brings to local governments and municipalities. The benefits of better cybersecurity come with a great deal of extra work. There are resources for support through the Florida Digital Service. However, private cybersecurity experts, like vTECH io, are available for extensive support as well. We are here to help agencies adhere to these new amendments. We want to make it easier to create a safer cyberspace. One service we offer is our Blue Team Assessment. It is a pen test that determines any network vulnerabilities. The assessment provides a comprehensive report that shows procedural changes or solutions to solidify your network security. The competitive pricing makes it an excellent and affordable option for your agency. Additionally, we can reduce the workload of agencies by helping train employees. We also offer help in developing incident response plans, aid in responding to incidents, and network protection. Our highly experienced team is ready to assist and on-call anytime there is an emergency.  We have a strong local presence in Florida, so we are easily accessible. Ransomware incidents are not convenient, but working with us is. To partner with us today, click here now.