Florida state agencies and local governments are now subject to new cybersecurity requirements and prohibitions that went into effect on July 1, 2022. These new amendments to Florida’s State Cybersecurity Act (“the Cybersecurity Act”) impose practically impossible-to-meet notification requirements on state and local governmental entities and prohibit them from making ransom payments. Stepping back to look at the changes from a high-level, the amendments will:
- Establish penalties and fines for individuals who engage in ransomware attacks against a governmental entity;
- Define the severity level of a cybersecurity incident and, based on the severity level, may require state agencies and local governments to notify the Florida Department of Law Enforcement’s Cybersecurity Office and the Cybersecurity Operations Center (CSOC) within 12 hours of a ransomware incident or 48 hours of other cybersecurity incidents;
- Prohibit the payment of, or compliance with, a ransom demand;
- Require state agencies and local governments to submit after-action reports to the Department of Law Enforcement following a cybersecurity or ransomware incident;
- Require the CSOC to notify the Florida Legislature of high (or greater) severity level cybersecurity incidents within 12 hours of receiving a report from any local government. The CSOC must also provide the Legislature and the Cybersecurity Advisory Council with a consolidated incident report on a quarterly basis;
- Require cybersecurity training for all state agency and local government employees within 30 days of employment and annually thereafter;
- Require that local governments adopt cybersecurity standards that safeguard data, IT, and IT resources; and,
- Expand the purpose of the Cybersecurity Advisory Council to include advising local governments on cybersecurity, to examine reported incidents to develop best practice recommendations, and to submit an annual comprehensive report regarding ransomware to the Governor and Legislature.
Some of these new requirements will be helpful – forcing government entities to think about and prioritize cybersecurity risk mitigation and avoidance, and ensuring that employees receive ongoing cybersecurity training. Other requirements/prohibitions will be harmful – resulting in permanent loss of sensitive data, significant operational interruptions, and unnecessary expenditures. Some requirements will be impossible to meet, requiring either a change in the law or constant violations of the law.
Here are some questions and answers about the recent amendments to the Cybersecurity Act:
- Where can I find a redlined version of the amendments to the Cybersecurity Act and the legislative analysis?
- Is it true that the new amendments prohibit certain public entities experiencing a ransomware attack from paying a ransom demand?
Yes. Section 282.3186, Fla. Stat. (2022), now states that: “A state agency as defined in s. 282.318(2), a county, or a municipality experiencing a ransomware incident may not pay or otherwise comply with a ransom demand.” Section 282.318(2) defines a state agency as any official, officer, commission, board, authority, council, committee, or department of the executive branch of state government; the Justice Administrative Commission; the Public Service Commission; the Department of Legal Affairs; the Department of Agriculture and Consumer Services; and the Department of Financial Services. University boards of trustees and state universities do not fall within the definition of a “state agency.”
The new amendments are ambiguous as to whether certain activity is prohibited. The payment of money to a ransomware threat actor (or its agent) would certainly fall within the scope of prohibited activity, as would complying with a threat actor’s request to do something other than pay money. But what about communications with a threat actor that (falsely) imply cooperation with the threat actor to “buy more time” to respond to the threat? It is unlikely that such communication would be considered compliance with a ransom demand. How about payment of a ransom using a third party’s funds (e.g., reimbursement through insurance)? This seems far more likely to fall within the scope of prohibited activity. As a practical matter, insurance companies do not pay ransoms directly for their insureds. The insured (government entity) would pay the ransom (which likely violates the law) then seek reimbursement. Less clear is what happens if a third party pays the ransom on behalf of the government entity. In that instance, the degree to which the government entity influenced the payment of the ransom may be a significant factor, but again – the statute’s language is unclear.
- How does HB 7055 define “ransomware”? Does the prohibition apply only where ransomware tools are used, or does it apply also to unauthorized access and exfiltration of data (i.e., a cyberattack without the use of ransomware) followed by extortion to prevent further distribution of the stolen data?
A “ransomware incident” is defined as “a malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to or encrypts, modifies, or otherwise renders unavailable a state agency’s, county’s, or municipality’s data and thereafter the person or entity demands a ransom to prevent the publication of the data, restore access to the data, or otherwise remediate the impact of the software.” In other words, a ransomware incident includes any unauthorized intrusion resulting in theft of data and a subsequent demand to prevent publication of that data. The use of ransomware tools/files are not required.
- What are the new severity levels for cybersecurity incidents?
The new amendments impose strict notification requirements for cyberattacks that do not involve ransomware. The speed with which notice must be provided to state officials by the attacked entity depends on the severity level of the cybersecurity incident. The new amendments have adopted severity levels established in the U.S. Department of Homeland Security’s National Cyber Incident Response Plan. The severity levels are as follows:
- Level 5 – emergency-level incident that poses an imminent threat to the provision of wide-scale critical infrastructure services; national, state, or local government security; or the lives of the country’s, state’s, or local government’s residents.
- Level 4 – severe-level incident likely to result in a significant impact to public health or safety; national, state, or local security; economic security; or civil liberties.
- Level 3 – high-level incident likely to result in a demonstrable impact to public health or safety; national, state, or local security; economic security; civil liberties; or public confidence.
- Level 2 – medium-level incident that may impact public health or safety; national, state, or local security; economic security; civil liberties; or public confidence.
- Level 1 – low-level incident that is unlikely to impact public health or safety; national, state, or local security; economic security; civil liberties; or public confidence.
- Which incidents must be reported by state agencies? To whom? By when? What information must be included in the notification reports?
State agencies must report to the Cybersecurity Operations Center and the Cybercrime Office of the Department of Law Enforcement (identified on its website as the Florida Computer Crime Center): (1) all ransomware incidents, and (2) any level 3, 4, or 5 cybersecurity incidents. Ransomware incidents must be reported within 12 hours of discovery. A level 3, 4, or 5 cybersecurity incident must be reported as soon as possible, but “no later than 48 hours after discovery of the cybersecurity incident.” State agencies must notify the Cybersecurity Operations Center and the Cybercrime Office of the Department of Law Enforcement of level 1 or 2 cybersecurity incidents “as soon as possible.”
There are potential problems with the new notification requirements. First, the impacted state agency may not know what “level” incident it is experiencing until well after it “discovers” the incident. Does the 48-hour clock start to run when the entity knows the incident level or, as the statute says, after discovering the incident?
Setting aside the “when does the clock start?” issue, the law also imposes an unrealistic requirement regarding the notification’s content. The entity must include in the notification, at minimum:
- A summary of the facts surrounding the cybersecurity or ransomware incident;
- The date on which the state agency most recently backed up its data, the physical location of the backup, if the backup was affected, and if the backup was created using cloud computing;
- The types of data compromised by the cybersecurity or ransomware incident;
- The estimated fiscal impact of the cybersecurity or ransomware incident; and,
- In the case of the ransomware incident, the details of the ransom demanded.
To be sure, most of this information is important and should ultimately be provided to relevant authorities in some form. Unfortunately, much of this information will not be available (or accurate) within 48 hours of discovering the incident. While it is fair to speculate that there will not be significant negative consequences for governmental entities that try in good faith to meet these notification requirements but fall short, the better approach would have been to require a high-level description in the 48-hour notification, then await the required after-action report for the more fulsome details.
After the Cybersecurity Operations Center receives the required notice, it must then inform the Florida Senate President and the Florida House Speaker of levels 3, 4, and 5 incidents within 12 hours of receiving notice. That notice need only include a high-level description of the incident and the likely effects.
Additionally, the Cybersecurity Operations Center must provide a consolidated incident report on a quarterly basis to the Senate President, Speaker of the House, and the Florida Cybersecurity Advisory Council.
- Why may the early notification requirement be potentially harmful?
Experienced incident response professionals, particularly those that deal with early notification requirements in contracts or the GDPR, will tell you that detailed reporting within a short period of time after an incident is typically useless and sometimes harmful. The impacted state agency will not have much to report, the entity will not know the full scope of impacted data, it will not have any idea of the fiscal impact of the incident, and it may not even know the ransom demanded.
In fact, requiring an entity to speculate on these questions will probably do more harm than good. First, the entity will need to devote limited and precious resources to preparing the notification, submitting it, responding to questions, and tracking down additional information that probably should not be the entity’s first priority during those incredibly important first few days. Second, the entity will likely provide information that later turns out to be incorrect because the fog of a cyberattack lasts days or weeks after the initial attack. As a result, third-parties may take steps and create unnecessary fear amongst the general public based on incomplete or inaccurate information. Lastly, another cook (or multiple additional cooks) will be in the kitchen, which is a recipe for disaster when it comes to cybersecurity incident response.
Again, the better way to do this, assuming notification to the DLE is necessary at all, would have been to require a “high-level” description (initially) and more fulsome details within 30 days (or as part of the after-action report (below)).
- What are the new cybersecurity training requirements?
All state agency technology professionals and employees with access to “highly sensitive information” (which is undefined) must receive cybersecurity training annually and within 30 days after commencing employment. The training (prepared by the Florida Digital Service) must focus on cybersecurity risks and the responsibility of employees to comply with policies, standards, guidelines, and operating procedures adopted by the state agency to reduce those risks. The training must also include identification of each cybersecurity incident severity level.
All local government employees must take cybersecurity training (prepared by the Florida Digital Service) within 30 days of commencing employment and annually thereafter. Local government employees with access to “highly sensitive information” (undefined) must complete advanced cybersecurity training within 30 days of commencing employment and annually thereafter.
- What are the “after-action report” requirements?
Within one week after remediation of a cybersecurity incident or ransomware incident, state agencies must submit to the Florida Digital Service an after-action report that summarizes the incident, the incident’s resolution, and any insights gained from the incident. Overall, this is a positive development. These reports can be leveraged to identify common weaknesses, pivot on cybersecurity strategy, and limit future incidents. If done right, this requirement will allow public entities to learn from others’ experiences. Even this requirement, however, will require some guidance and fine-tuning. For example, it’s not clear when “remediation” occurs – is it when the threat actor has been eliminated? Is it after the underlying vulnerabilities have been remediated? What if, as is often the case, remediation requires expensive, time-consuming measures that will take months to complete?
- What cybersecurity requirements are imposed on local governments?
The requirements include cybersecurity training (see question 7 above); adoption of cybersecurity standards consistent with the NIST framework; and incident notification requirements similar to those imposed on state agencies.
The development of the cybersecurity standards must still take place. So local governments will likely be left scratching their heads for the time being, until more guidance is provided. Fortunately, the timeframe for adoption is staggered and not until 2024. Counties with a population of 75,000 or more are up first, and must adopt the standards by January 1, 2024. Counties with a population of less than 75,000 must adopt the standards by January 1, 2025. Municipalities with a population of 25,000 or more must adopt the standards by January 1, 2024. Municipalities with a population of less than 25,000 must adopt the standards by January 1, 2025. Each local government must notify the Florida Digital Service of its compliance with these requirements “as soon as possible.”
The incident notification requirements are similar to those imposed on state agencies. Local governments must provide notification of a cybersecurity incident or ransomware incident to the Cybersecurity Operations Center, Cybercrime Office of the Department of Law Enforcement, and sheriff who has jurisdiction over the local government. The notification must include all the information discussed in response to question 5 above. It must also include a statement requesting or declining assistance from the Cybersecurity Operations Center, the Cybercrime Office of the Department of Law Enforcement, or the sheriff who has jurisdiction over the local government. The notice must include the same types of information and the notification deadlines are the same. The only significant difference is that local governments must notify the sheriff with jurisdiction over the local government, in addition to notifying the Cybersecurity Operations Center and the Department of Law Enforcement. (The law does not appear to impose an obligation for law enforcement, like the various sheriff offices, to notify anyone of an incident.) As with state agencies, the Cybersecurity Operations Center will notify other political entities upon receiving notice from a local government.
Local governments, like state agencies, must submit their after-action report to the Florida Digital Service within one week of remediating the incident.
- What role does the Florida Cybersecurity Advisory Council play?
The Florida Cybersecurity Advisory Council was created to help state agencies protect their IT resources from cyber threats and incidents. The new amendments expand the scope of the council’s purpose to include advising counties and municipalities on cybersecurity, including cybersecurity threats, trends, and best practices. The new amendments also require the council to meet quarterly to identify commonalities; develop best practice recommendations for state agencies, counties, and municipalities; and, recommend any additional information that a county or municipality should report to the Florida Digital Service as part of its cybersecurity incident or ransomware incident notification. The council must also provide the Governor, Senate President, and House Speaker a comprehensive report each year that includes data, trends, analysis, findings, and recommendations for state and local action regarding ransomware incidents. The after-action reporting should be helpful to the Council in prioritizing the most effective threat mitigation measures and providing instructions that will assist state agencies and local governments in responding to future cyberattacks.
- What criminal penalties do the new amendments create?
A person who engages in a ransomware attack against a government entity commits a first-degree felony. Additionally, an employee or contractor of a governmental entity with access to the governmental entity’s network who willfully and knowingly aids or abets another in the commission of a ransomware attack also commits a first degree felony. A person convicted of either criminal act must pay a fine equal to twice the amount of the ransom demanded.
These new criminal penalties are steps in the right direction and additional arrows in a prosecutor’s quiver. As a practical matter, however, they probably will not be used often because the origins of most ransomware attacks are very difficult to determine and the threat actors typically reside in locations of the world where extradition is challenging. For a riveting and informative storytelling of a threat actor who was captured and prosecuted by the United States, listen to the “Hack Me If You Can” episodes of the WSJ’s “The Journal” podcast, as reported by leading cybersecurity journalist, Robert McMillan.
- What are the implications for insurance?
Cyber insurance carriers/brokers will have a keen interest in this development, particularly where they have written/procured policies for Florida-based state agencies and local governments. It will be interesting to see, for example, what role extortion coverage will have in future cyber policies for Florida governmental entities, and whether Florida will create a trend for other states.
- What benefits do these amendments to the State Cybersecurity Act create?
The new amendments are helpful in several ways:
- State agencies and local governments will require more robust cybersecurity training for their employees, further mitigating the “human risk”.
- State agencies and local governments will need to think about NIST in developing technical, administrative, and physical safeguards that protect sensitive information.
- State agencies and local governments will notify state officials more quickly about significant cybersecurity incidents.
- The collective information obtained from the various after-action reports should help identify trends, ways to mitigate these risks in the future, and help in prioritizing cybersecurity safeguards for entities that have limited resources. The public (and journalists) may also have new information from which to learn about cyberattacks against public entities.
- What problems do these amendments create?
The news is not all good. There will be some negative consequences from the amendments:
- There will be instances where state agencies and local governments may not have a secure backup of important historical or sensitive information, and without the ability to negotiate and pay a ransom, that information could be lost forever.
- State agencies and local governments will constantly be in violation of the new notification requirements as it is highly unlikely they will have all the information necessary to meet the requirements within 12 or 48 hours.
- Forcing state and local entities to provide detailed notice so quickly will force them to speculate and could potentially lead to action based on unintentional inaccuracies. This problem may be exacerbated by the lack of clarity regarding when the clock starts ticking on the 12 or 48-hour deadline.
- Involving multiple state agencies and political entities means there will be more “cooks in the kitchen.” More phone calls and meetings to take where that time could have been spent responding to the incident. More paperwork to complete. More investigative whims of others to pursue. That is not a recipe for an efficient response to a cyberattack.
- While the collective benefit from information about cyberattacks will be helpful, it does create a “treasure trove” of information that, if not carefully reviewed/redacted/secured, could be misused.
- Where state and local entities may have previously engaged with threat actors in an effort to buy more time to investigate, perform triage, and respond to a cyberattack, they may now be scared to do that lest they violate the prohibition against ransomware payments/compliance.
- State and local entities may have spent significant financial resources on cyber extortion insurance coverage that could now have limited value.
The spirit of these new amendments is solid – require state and local entities to adopt stronger cybersecurity safeguards; raise awareness of cybersecurity incidents; and encourage coordination on cybersecurity between government entities. But some additional changes should be considered:
- It is unclear what triggers the ransom payment prohibition. For example, what happens if a third party pays the ransom on behalf of the state/local entity? Are communications with the threat actor permitted?
- The prohibition of ransom payments is too absolutist, which will lead to Floridians permanently losing access to sensitive or important information. While the “we don’t pay bad guys” reaction is often correct, it could make things worse. Critical services could become unavailable if a secure backup of impacted systems is not available.
- For the notification requirements, require only a high-level description of the incident in the 12- and 48-hour notices. This will ensure the notifications are more accurate and, of course, nobody is preventing further oral discussion about the incident once the notification has been provided.
- It is unclear when the clock starts to run on the notification requirements. Does it start when the impacted entity discovers the incident? Does it start after the impacted entity determines the severity level (and understands the applicable notification requirement)?
- Consider how to minimize politicizing cybersecurity incidents – which will almost certainly occur if political leaders must be notified of these disruptions. There are already enough disincentives to providing notification of an incident. Adding a political element could make it worse.
- For the cybersecurity training requirement, define “highly sensitive information” (the trigger for who must receive the training).
- For after-action reports, clarify what “remediation” means for timing purposes. It is not uncommon for an incident to take several months to complete remediation, and some entities do not complete it at all of they have limited resources (as is the case with certain public entities).
- Continue to require more detailed information in the after-action report, but consider how to ensure that the information is redacted, encrypted, secured, and not subject to public access requests that could create security risks for impacted entities.
Hopefully these potential improvements will be considered and addressed in the future.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients. Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site are for informational purposes only. It is not legal advice nor should it be relied on as legal advice.