Florida state agencies and local governments are now subject to new cybersecurity requirements and prohibitions that went into effect on July 1, 2022. These new amendments to Florida’s State Cybersecurity Act (“the Cybersecurity Act”) impose practically impossible-to-meet notification requirements on state and local governmental entities and prohibit them from making ransom payments. Stepping back to look at the changes from a high-level, the amendments will:

  • Establish penalties and fines for individuals who engage in ransomware attacks against a governmental entity;
  • Define the severity level of a cybersecurity incident and, based on the severity level, may require state agencies and local governments to notify the Florida Department of Law Enforcement’s Cybersecurity Office and the Cybersecurity Operations Center (CSOC) within 12 hours of a ransomware incident or 48 hours of other cybersecurity incidents;
  • Prohibit the payment of, or compliance with, a ransom demand;
  • Require state agencies and local governments to submit after-action reports to the Department of Law Enforcement following a cybersecurity or ransomware incident;
  • Require the CSOC to notify the Florida Legislature of high (or greater) severity level cybersecurity incidents within 12 hours of receiving a report from any local government. The CSOC must also provide the Legislature and the Cybersecurity Advisory Council with a consolidated incident report on a quarterly basis;
  • Require cybersecurity training for all state agency and local government employees within 30 days of employment and annually thereafter;
  • Require that local governments adopt cybersecurity standards that safeguard data, IT, and IT resources; and,
  • Expand the purpose of the Cybersecurity Advisory Council to include advising local governments on cybersecurity, to examine reported incidents to develop best practice recommendations, and to submit an annual comprehensive report regarding ransomware to the Governor and Legislature.

Some of these new requirements will be helpful – forcing government entities to think about and prioritize cybersecurity risk mitigation and avoidance, and ensuring that employees receive ongoing cybersecurity training. Other requirements/prohibitions will be harmful – resulting in permanent loss of sensitive data, significant operational interruptions, and unnecessary expenditures. Some requirements will be impossible to meet, requiring either a change in the law or constant violations of the law.

Here are some questions and answers about the recent amendments to the Cybersecurity Act:

  1. Where can I find a redlined version of the amendments to the Cybersecurity Act and the legislative analysis?

The full text of the underlying bill (HB 7055) showing the redlined changes to the Cybersecurity Act is here.  The legislative analysis is here.

  1. Is it true that the new amendments prohibit certain public entities experiencing a ransomware attack from paying a ransom demand?

Yes. Section 282.3186, Fla. Stat. (2022), now states that: “A state agency as defined in s. 282.318(2), a county, or a municipality experiencing a ransomware incident may not pay or otherwise comply with a ransom demand.” Section 282.318(2) defines a state agency as any official, officer, commission, board, authority, council, committee, or department of the executive branch of state government; the Justice Administrative Commission; the Public Service Commission; the Department of Legal Affairs; the Department of Agriculture and Consumer Services; and the Department of Financial Services. University boards of trustees and state universities do not fall within the definition of a “state agency.”

The new amendments are ambiguous as to whether certain activity is prohibited. The payment of money to a ransomware threat actor (or its agent) would certainly fall within the scope of prohibited activity, as would complying with a threat actor’s request to do something other than pay money.  But what about communications with a threat actor that (falsely) imply cooperation with the threat actor to “buy more time” to respond to the threat? It is unlikely that such communication would be considered compliance with a ransom demand. How about payment of a ransom using a third party’s funds (e.g., reimbursement through insurance)? This seems far more likely to fall within the scope of prohibited activity. As a practical matter, insurance companies do not pay ransoms directly for their insureds. The insured (government entity) would pay the ransom (which likely violates the law) then seek reimbursement. Less clear is what happens if a third party pays the ransom on behalf of the government entity. In that instance, the degree to which the government entity influenced the payment of the ransom may be a significant factor, but again – the statute’s language is unclear.

  1. How does HB 7055 define “ransomware”? Does the prohibition apply only where ransomware tools are used, or does it apply also to unauthorized access and exfiltration of data (i.e., a cyberattack without the use of ransomware) followed by extortion to prevent further distribution of the stolen data?

A “ransomware incident” is defined as “a malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to or encrypts, modifies, or otherwise renders unavailable a state agency’s, county’s, or municipality’s data and thereafter the person or entity demands a ransom to prevent the publication of the data, restore access to the data, or otherwise remediate the impact of the software.”  In other words, a ransomware incident includes any unauthorized intrusion resulting in theft of data and a subsequent demand to prevent publication of that data. The use of ransomware tools/files are not required.

  1. What are the new severity levels for cybersecurity incidents?

The new amendments impose strict notification requirements for cyberattacks that do not involve ransomware. The speed with which notice must be provided to state officials by the attacked entity depends on the severity level of the cybersecurity incident. The new amendments have adopted severity levels established in the U.S. Department of Homeland Security’s National Cyber Incident Response Plan.  The severity levels are as follows:

  • Level 5 – emergency-level incident that poses an imminent threat to the provision of wide-scale critical infrastructure services; national, state, or local government security; or the lives of the country’s, state’s, or local government’s residents.
  • Level 4 – severe-level incident likely to result in a significant impact to public health or safety; national, state, or local security; economic security; or civil liberties.
  • Level 3 – high-level incident likely to result in a demonstrable impact to public health or safety; national, state, or local security; economic security; civil liberties; or public confidence.
  • Level 2 – medium-level incident that may impact public health or safety; national, state, or local security; economic security; civil liberties; or public confidence.
  • Level 1 – low-level incident that is unlikely to impact public health or safety; national, state, or local security; economic security; civil liberties; or public confidence.
  1. Which incidents must be reported by state agencies? To whom? By when? What information must be included in the notification reports?

State agencies must report to the Cybersecurity Operations Center and the Cybercrime Office of the Department of Law Enforcement (identified on its website as the Florida Computer Crime Center): (1) all ransomware incidents, and (2) any level 3, 4, or 5 cybersecurity incidents. Ransomware incidents must be reported within 12 hours of discovery. A level 3, 4, or 5 cybersecurity incident must be reported as soon as possible, but “no later than 48 hours after discovery of the cybersecurity incident.”  State agencies must notify the Cybersecurity Operations Center and the Cybercrime Office of the Department of Law Enforcement of level 1 or 2 cybersecurity incidents “as soon as possible.”

There are potential problems with the new notification requirements.  First, the impacted state agency may not know what “level” incident it is experiencing until well after it “discovers” the incident. Does the 48-hour clock start to run when the entity knows the incident level or, as the statute says, after discovering the incident?

Setting aside the “when does the clock start?” issue, the law also imposes an unrealistic requirement regarding the notification’s content. The entity must include in the notification, at minimum:

  • A summary of the facts surrounding the cybersecurity or ransomware incident;
  • The date on which the state agency most recently backed up its data, the physical location of the backup, if the backup was affected, and if the backup was created using cloud computing;
  • The types of data compromised by the cybersecurity or ransomware incident;
  • The estimated fiscal impact of the cybersecurity or ransomware incident; and,
  • In the case of the ransomware incident, the details of the ransom demanded.

To be sure, most of this information is important and should ultimately be provided to relevant authorities in some form. Unfortunately, much of this information will not be available (or accurate) within 48 hours of discovering the incident. While it is fair to speculate that there will not be significant negative consequences for governmental entities that try in good faith to meet these notification requirements but fall short, the better approach would have been to require a high-level description in the 48-hour notification, then await the required after-action report for the more fulsome details.

After the Cybersecurity Operations Center receives the required notice, it must then inform the Florida Senate President and the Florida House Speaker of levels 3, 4, and 5 incidents within 12 hours of receiving notice. That notice need only include a high-level description of the incident and the likely effects.

Additionally, the Cybersecurity Operations Center must provide a consolidated incident report on a quarterly basis to the Senate President, Speaker of the House, and the Florida Cybersecurity Advisory Council.

  1. Why may the early notification requirement be potentially harmful?

Experienced incident response professionals, particularly those that deal with early notification requirements in contracts or the GDPR, will tell you that detailed reporting within a short period of time after an incident is typically useless and sometimes harmful. The impacted state agency will not have much to report, the entity will not know the full scope of impacted data, it will not have any idea of the fiscal impact of the incident, and it may not even know the ransom demanded.

In fact, requiring an entity to speculate on these questions will probably do more harm than good.  First, the entity will need to devote limited and precious resources to preparing the notification, submitting it, responding to questions, and tracking down additional information that probably should not be the entity’s first priority during those incredibly important first few days. Second, the entity will likely provide information that later turns out to be incorrect because the fog of a cyberattack lasts days or weeks after the initial attack. As a result, third-parties may take steps and create unnecessary fear amongst the general public based on incomplete or inaccurate information. Lastly, another cook (or multiple additional cooks) will be in the kitchen, which is a recipe for disaster when it comes to cybersecurity incident response.

Again, the better way to do this, assuming notification to the DLE is necessary at all, would have been to require a “high-level” description (initially) and more fulsome details within 30 days (or as part of the after-action report (below)).

  1. What are the new cybersecurity training requirements?

All state agency technology professionals and employees with access to “highly sensitive information” (which is undefined) must receive cybersecurity training annually and within 30 days after commencing employment. The training (prepared by the Florida Digital Service) must focus on cybersecurity risks and the responsibility of employees to comply with policies, standards, guidelines, and operating procedures adopted by the state agency to reduce those risks. The training must also include identification of each cybersecurity incident severity level.

All local government employees must take cybersecurity training (prepared by the Florida Digital Service) within 30 days of commencing employment and annually thereafter. Local government employees with access to “highly sensitive information” (undefined) must complete advanced cybersecurity training within 30 days of commencing employment and annually thereafter.

  1. What are the “after-action report” requirements?

Within one week after remediation of a cybersecurity incident or ransomware incident, state agencies must submit to the Florida Digital Service an after-action report that summarizes the incident, the incident’s resolution, and any insights gained from the incident. Overall, this is a positive development. These reports can be leveraged to identify common weaknesses, pivot on cybersecurity strategy, and limit future incidents. If done right, this requirement will allow public entities to learn from others’ experiences.  Even this requirement, however, will require some guidance and fine-tuning.  For example, it’s not clear when “remediation” occurs – is it when the threat actor has been eliminated? Is it after the underlying vulnerabilities have been remediated? What if, as is often the case, remediation requires expensive, time-consuming measures that will take months to complete?

  1. What cybersecurity requirements are imposed on local governments?

The requirements include cybersecurity training (see question 7 above); adoption of cybersecurity standards consistent with the NIST framework; and incident notification requirements similar to those imposed on state agencies.

The development of the cybersecurity standards must still take place. So local governments will likely be left scratching their heads for the time being, until more guidance is provided. Fortunately, the timeframe for adoption is staggered and not until 2024. Counties with a population of 75,000 or more are up first, and must adopt the standards by January 1, 2024. Counties with a population of less than 75,000 must adopt the standards by January 1, 2025. Municipalities with a population of 25,000 or more must adopt the standards by January 1, 2024. Municipalities with a population of less than 25,000 must adopt the standards by January 1, 2025.  Each local government must notify the Florida Digital Service of its compliance with these requirements “as soon as possible.”

The incident notification requirements are similar to those imposed on state agencies. Local governments must provide notification of a cybersecurity incident or ransomware incident to the Cybersecurity Operations Center, Cybercrime Office of the Department of Law Enforcement, and sheriff who has jurisdiction over the local government. The notification must include all the information discussed in response to question 5 above. It must also include a statement requesting or declining assistance from the Cybersecurity Operations Center, the Cybercrime Office of the Department of Law Enforcement, or the sheriff who has jurisdiction over the local government. The notice must include the same types of information and the notification deadlines are the same. The only significant difference is that local governments must notify the sheriff with jurisdiction over the local government, in addition to notifying the Cybersecurity Operations Center and the Department of Law Enforcement.  (The law does not appear to impose an obligation for law enforcement, like the various sheriff offices, to notify anyone of an incident.)  As with state agencies, the Cybersecurity Operations Center will notify other political entities upon receiving notice from a local government.

Local governments, like state agencies, must submit their after-action report to the Florida Digital Service within one week of remediating the incident.

  1. What role does the Florida Cybersecurity Advisory Council play?

The Florida Cybersecurity Advisory Council was created to help state agencies protect their IT resources from cyber threats and incidents. The new amendments expand the scope of the council’s purpose to include advising counties and municipalities on cybersecurity, including cybersecurity threats, trends, and best practices. The new amendments also require the council to meet quarterly to identify commonalities; develop best practice recommendations for state agencies, counties, and municipalities; and, recommend any additional information that a county or municipality should report to the Florida Digital Service as part of its cybersecurity incident or ransomware incident notification. The council must also provide the Governor, Senate President, and House Speaker a comprehensive report each year that includes data, trends, analysis, findings, and recommendations for state and local action regarding ransomware incidents. The after-action reporting should be helpful to the Council in prioritizing the most effective threat mitigation measures and providing instructions that will assist state agencies and local governments in responding to future cyberattacks.

  1. What criminal penalties do the new amendments create?

A person who engages in a ransomware attack against a government entity commits a first-degree felony. Additionally, an employee or contractor of a governmental entity with access to the governmental entity’s network who willfully and knowingly aids or abets another in the commission of a ransomware attack also commits a first degree felony.  A person convicted of either criminal act must pay a fine equal to twice the amount of the ransom demanded.

These new criminal penalties are steps in the right direction and additional arrows in a prosecutor’s quiver. As a practical matter, however, they probably will not be used often because the origins of most ransomware attacks are very difficult to determine and the threat actors typically reside in locations of the world where extradition is challenging. For a riveting and informative storytelling of a threat actor who was captured and prosecuted by the United States, listen to the “Hack Me If You Can” episodes of the WSJ’s “The Journal” podcast, as reported by leading cybersecurity journalist, Robert McMillan.

  1. What are the implications for insurance?

Cyber insurance carriers/brokers will have a keen interest in this development, particularly where they have written/procured policies for Florida-based state agencies and local governments. It will be interesting to see, for example, what role extortion coverage will have in future cyber policies for Florida governmental entities, and whether Florida will create a trend for other states.

  1. What benefits do these amendments to the State Cybersecurity Act create?

The new amendments are helpful in several ways:

  • State agencies and local governments will require more robust cybersecurity training for their employees, further mitigating the “human risk”.
  • State agencies and local governments will need to think about NIST in developing technical, administrative, and physical safeguards that protect sensitive information.
  • State agencies and local governments will notify state officials more quickly about significant cybersecurity incidents.
  • The collective information obtained from the various after-action reports should help identify trends, ways to mitigate these risks in the future, and help in prioritizing cybersecurity safeguards for entities that have limited resources. The public (and journalists) may also have new information from which to learn about cyberattacks against public entities.
  1. What problems do these amendments create?

The news is not all good. There will be some negative consequences from the amendments:

  • There will be instances where state agencies and local governments may not have a secure backup of important historical or sensitive information, and without the ability to negotiate and pay a ransom, that information could be lost forever.
  • State agencies and local governments will constantly be in violation of the new notification requirements as it is highly unlikely they will have all the information necessary to meet the requirements within 12 or 48 hours.
  • Forcing state and local entities to provide detailed notice so quickly will force them to speculate and could potentially lead to action based on unintentional inaccuracies. This problem may be exacerbated by the lack of clarity regarding when the clock starts ticking on the 12 or 48-hour deadline.
  • Involving multiple state agencies and political entities means there will be more “cooks in the kitchen.” More phone calls and meetings to take where that time could have been spent responding to the incident. More paperwork to complete. More investigative whims of others to pursue. That is not a recipe for an efficient response to a cyberattack.
  • While the collective benefit from information about cyberattacks will be helpful, it does create a “treasure trove” of information that, if not carefully reviewed/redacted/secured, could be misused.
  • Where state and local entities may have previously engaged with threat actors in an effort to buy more time to investigate, perform triage, and respond to a cyberattack, they may now be scared to do that lest they violate the prohibition against ransomware payments/compliance.
  • State and local entities may have spent significant financial resources on cyber extortion insurance coverage that could now have limited value.

Summary

The spirit of these new amendments is solid – require state and local entities to adopt stronger cybersecurity safeguards; raise awareness of cybersecurity incidents; and encourage coordination on cybersecurity between government entities. But some additional changes should be considered:

  • It is unclear what triggers the ransom payment prohibition. For example, what happens if a third party pays the ransom on behalf of the state/local entity? Are communications with the threat actor permitted?
  • The prohibition of ransom payments is too absolutist, which will lead to Floridians permanently losing access to sensitive or important information. While the “we don’t pay bad guys” reaction is often correct, it could make things worse. Critical services could become unavailable if a secure backup of impacted systems is not available.
  • For the notification requirements, require only a high-level description of the incident in the 12- and 48-hour notices. This will ensure the notifications are more accurate and, of course, nobody is preventing further oral discussion about the incident once the notification has been provided.
  • It is unclear when the clock starts to run on the notification requirements. Does it start when the impacted entity discovers the incident? Does it start after the impacted entity determines the severity level (and understands the applicable notification requirement)?
  • Consider how to minimize politicizing cybersecurity incidents – which will almost certainly occur if political leaders must be notified of these disruptions. There are already enough disincentives to providing notification of an incident. Adding a political element could make it worse.
  • For the cybersecurity training requirement, define “highly sensitive information” (the trigger for who must receive the training).
  • For after-action reports, clarify what “remediation” means for timing purposes. It is not uncommon for an incident to take several months to complete remediation, and some entities do not complete it at all of they have limited resources (as is the case with certain public entities).
  • Continue to require more detailed information in the after-action report, but consider how to ensure that the information is redacted, encrypted, secured, and not subject to public access requests that could create security risks for impacted entities.

Hopefully these potential improvements will be considered and addressed in the future.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Florida will not pass a comprehensive data privacy law for the second year in a row. It will be easy for some to speculate that the bill died because the House insisted on a private right of action. That speculation would be wrong. The bill died because there were multiple differing views on the law’s scope, what activity the law should apply to, and how the law should be enforced. I am confident we will see another data privacy bill introduced next year. But I don’t know how vigorously the new incoming House Speaker will push it.

I have truly enjoyed my experiences in Tallahassee these last two legislative sessions. I found our lawmakers always willing to listen (even if they didn’t change their positions). The ones I met were humble and deferential. They genuinely wanted to learn more about how (and why) companies collect, use, and share personal information. The political climate in Tallahassee was nothing like what I had imagined based on what I see occurred in Washington, DC. I always observed Republicans and Democrats at the local watering holes together every evening. They laughed, shared personal stories, played practical jokes on each other, and engaged in real discussion about their pet projects. I never heard a nasty or demeaning word spoken about a fellow politician, even when there was vehement disagreement with their underlying position on an issue.

I met so political figures who made me proud to be a Floridian. I was blown away by the fortitude and deep knowledge Representative McFarland exhibited fighting for her bill on telephone calls and in committee hearings. I admired the thoughtfulness and moderation Representative Diamond showed in debating the legitimate strengths and real concerns with HB 9. I enjoyed watching the tenacity Representative Learned displayed introducing several amendments that could have resulted in the bill becoming law if they had passed. I appreciated the kind and generous ear Representative Ingoglia gave to individuals like me who went over our allotted time to provide public comment. And then there were all the wonderful folks “behind the scenes” – the legislative aides (in both parties) who wanted to engage in debate/discussion and learn more about the practical implications of the language of their bills.

I can tell you first hand, Florida, you have some amazing leaders in Tallahassee. I truly hope we get to see some of them represent us at the national level.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The Florida House of Representatives today passed HB 9 by a vote of 103 to 8. The bill would be Florida’s first “comprehensive” data privacy law. You can read this post to learn more about what the bill would do; this one for a deeper dive; and, this one for the latest amendments.

Floor Debate

Unsurprisingly, the floor debate was filled with the same arguments we heard in committee hearings. Unfortunately, that included the myth that HB 9 applies only to companies that buy or sell personal information.  At one point, Rep. Eskamani (D) said, “If you’re not selling data, you are fine. If you are not making off personal identifying information, then you are fine.”  Similarly, Representative Beltran (R) said, “This bill only applies to people who buy and sell people’s data. If you’re not in that business then you shouldn’t have a problem.”

Let’s be clear – this argument is patently and objectively false. As I’ve pointed out in a previous blog post and in my public comment directly to the House Commerce and Judiciary committees, the mere “access” to personal information can trigger this bill’s scope. Nevertheless, from HB 9’s inception, the House leadership promoted the bill as limited only to “companies that buy or sell information” and “companies that earn at least 50% of their revenue from buying or selling personal information.” Why? Because it’s an easier pill to swallow if the House members think the bill is narrowly tailored such that it won’t adversely impact Florida businesses. It’s easier to “vilify” companies that exist primarily to buy/sell personal information. But it’s intellectually dishonest and it festers the growing distrust people have of certain elected leaders.

One of the most insightful comments was by Rep. Diamond (D), who hesitatingly predicted, “I think that this issue is not going to be resolved this session, most likely, as I understand the posture we’re in with regard to the Senate.” Rep. Diamond voted in favor of the bill but encouraged further consideration of a right to cure in the private right of action provision similar to the right to cure built into the Florida Attorney General’s enforcement authority:  “I just wanted to encourage the members of the House that are going to continue to work on this project going forward to the extent it’s not resolved this session to think about the enforcement provisions in this bill versus other ways we could enforce these provisions. Because I do think 99% of the businesses in this state are going to want to come into compliance with these new regulations and we want to provide opportunities for businesses to come into compliance. And that is there in the enforcement mechanism that the representative has in this bill for the Attorney General. It’s geared around businesses coming into compliance. It’s not quite there yet with regard to the private cause of action because there isn’t a formal notice and opportunity to cure provision, but you can’t let the perfect be the enemy of the good.”

Ultimately, 75% of the members who opposed the bill were Democrats, yet Democrats make up only one-third of the House membership.

What’s Next?

After the bill passed the House, it was sent to the Senate and the Senate referred the bill to the Judiciary Committee.  The Judiciary Committee has a number of options at this point, including:

  • Doing nothing. With a little over a week remaining in the legislative session and many priorities still for the Senate to consider, there simply may not be enough time for the Senate Judiciary Committee to consider any draft of a privacy bill. It’s also possible that the Judiciary Committee may not meet again at all.
  • Amending HB 9 with a proposed strike-all (approved by the Senate President). The strike-all would replace HB 9 with a more business-friendly version of a privacy bill that does some or all of the following: removes the private right of action; builds in a right to cure (if a private right of action remains); limits the bill’s scope to companies that only buy or sell personal information; changes the scope to focus on certain kinds of companies; and/or eliminates some of the compliance challenges created by HB 9. That version would pass the Judiciary Committee, then the Senate Floor, and the Senate President would then engage in horse-trading with the House Speaker to pick a version for the Governor to sign.
  • Consider SB 1864. We have forgotten that the Senate has its own privacy bill (which was actually the first privacy bill to be introduced this legislative session). That bill’s sponsor ( Jennifer Bradley) is a member of the Senate Judiciary Committee. That could be the version of a privacy law the Senate Judiciary Committee considers.
  • Consider HB 9 in its current form. Pretty self-explanatory.

If I were forced to pick the most likely option, I’d go with the second one, but the first and third options wouldn’t surprise me either. I don’t think the fourth option is realistic. The next 48 hours could be revealing.

Governor DeSantis, who for the most part has stayed out of the public debate on HB 9 this year, will likely weigh in behind the scenes to push one version over the other. We know the Governor is a supporter of Florida businesses, wants to encourage investment in Florida, and is concerned about the potential for abuse of an unnecessary private right of action, but we also know he supports a law that gives Floridians more control over their data and creates an ability to punish “big tech” for any lack of compliance. A version of HB 9 with a more narrowly-tailored scope and without a private right of action would strike that balance because the Republican Attorney General could still use the law to pursue companies she determined to be in violation of it.

It will be interesting to see how things unfold over the next week.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

It was a busy week for HB 9 in Tallahassee. There was a strike-all amendment, several proposed unfriendly amendments, a House Judiciary Committee meeting, a second strike-all, more unfriendly amendments, and a date for a House floor vote. This post will summarize what happened and provide a roadmap for the final two weeks of the Florida legislative session. Continue Reading HB 9 Moves to House Floor, Democratic Opposition Emerges

In my last post, I wrote about my impression that legislators and staff do not intend for HB 9 to apply to companies that merely “receive” personal information (i.e., those that do not engage in buying or selling personal information). Based on that understanding, I suggested the second threshold of the bill’s scope be amended as follows: “Annually buys, receives, sells, or shares the personal information of 50,000 of more consumers, households, and devices for the purpose of targeted advertising in conjunction with third parties or for a purpose that is not listed under subsection (1).” (You’ll recall that the other two threshold requirements under HB 9 are global annual gross revenue of more than $50 million, and at least 50% of global annual revenue from selling or sharing personal information about consumers.)

I now realize that I missed an important additional change to the definition of “share” that would need to be made in conjunction with the above changes. The bill defines “share” as “to share, rent, release, disclose, disseminate, make available, transfer, or access a consumer’s personal information for advertising or marketing.”  Which of those words is not like the other?  Access. Access is a passive activity that does not require the provision of personal information to another entity.

Why is this change important? Because the removal of “receives” is based on the proposition that companies that merely receive personal information, but do not buy or sell it, should not fall within the bill’s scope.  But if the definition of share includes “access” then companies that merely receive (i.e., access) personal information without buying/selling the information would still be within the bill’s scope.

In short, the bill should also remove the term “access” from definition of share if it is to truly be limited to companies that buy and sell personal information for targeted advertising purposes.

What’s Next for HB 9 and SB 1864?

HB 9 is expected to be heard by the House Judiciary Committee on Wednesday.

The Senate, however, is far more concerned about the $300,000 to $750,000 annual “tax” (in the form of compliance costs) and the potential abuse from a private right of action with statutory damages that a bill like HB 9 will impose on companies doing business in Florida. If HB 9 were to pass, Florida would become the first state in the country to create a private right of action for violation of privacy provisions like right of access, deletion, correction, and opt-in consent. None of these developments are consistent with the state’s attempt to brand itself as business-friendly. In contrast, just north of the border, Georgia has introduced its own privacy bill that would be limited to companies that generate at least 50% of their revenue from selling/buying personal information.

This promises to be an interesting week ahead.

One Last Consideration As We Enter The Final Stretch

I have wondered whether lawmakers have contemplated the impact of HB 9 on their own campaigns. Political campaigning and the research that goes into creating strategy and identifying voters have become extremely sophisticated, as we saw from the Cambridge Analytica issue. To be sure, some of the collected information is public or deidentified/aggregated (and therefore exempt) but much of the information that goes into profiling and research is not. Additionally, political committees/entities are not typically considered “not for profit” entities that would be exempt from the definition of a controller. Nor is much of the information collected directly from the Florida resident.

If political candidates and their campaign committees become controllers (or third parties) under the law, one could see how HB 9 could create problems for legislative and executive branch candidates who will need to devote scarce resources to build compliance programs and potentially defend lawsuits from their opponents supporters that use the private right of action with statutory damages and attorney’s fees to spend money on litigation and create negative publicity. 

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Last week, HB 9 (the leading privacy bill on the House side of the Florida legislature) made its first of two committee stops in the House Commerce Committee. The bill passed unanimously. Just as important, however, the hearing revealed a potential misunderstanding as to the scope of the bill.

This blog post will dive into HB 9’s scope in greater depth, as that may be the most significant issue for companies wondering whether the bill would apply to them. The post will offer suggestions to bridge the disconnect and it will make suggestions to address other concerns many companies have with HB 9. The post ends with an analysis of what to expect next with HB 9 and its Senate counterpart.

Continue Reading The Future Comes Into Focus For HB 9

The Florida House of Representatives has introduced its version of a comprehensive privacy law (HB 9 – no fancy acronym, unlike the FPPA in the Senate).  This blog post will explain the key differences between the House and Senate versions. I also propose two changes to the private right of action that would mitigate the risk of professional plaintiffs filing gotcha lawsuits. The post ends with a roadmap of what to expect moving forward in this legislative session.

Continue Reading Comparing Florida’s Two Leading Privacy Bills

The Florida House of Representatives has released its version of a proposed comprehensive privacy law.  Coming in at 31 pages, HB 9 is sponsored by Representative McFarland (a champion of data privacy on the House side). On quick review, it appears to have some important changes from the version the House considered last year (HB 969), including:

  • a significantly reduced private right of action (no private right of action for data breaches), though the lack of a right to cure will create problems;
  • a universal plug-in option for communicating privacy preferences;
  • annual AG reports to Legislature; and,
  • changes to data retention rules.

I intend to provide more thoughts, a deeper analysis, and a comparison to the Senate’s version within the next 24 hours.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

This blog post will summarize Senate Bill 1864, released on Friday, which is the first “comprehensive” privacy bill to be released in advance of the 2022 Florida legislative session. This is a long post, so I begin with a “too long, didn’t read” section that I’ve found helpful in articles I’ve read. I then describe the FPPA in detail, but by pulling various pieces of the 34-page law together by subject matter. I close with some personal opinions about this bill and what we can expect in the upcoming legislative session.

Continue Reading Will The FPPA Be Florida’s First Comprehensive Privacy Law?

New regulatory activity may help companies experience fewer ransomware attacks and could impact whether ransoms can be paid to threat actors. The activity includes guidance and sanctions by the Department of Treasury (“Treasury”) and a host of resources provided by the Health and Human Services Office for Civil Rights. This post describes the activity, its impact on companies that experience a ransomware attack, and practical takeaways for in-house counsel.

Continue Reading To Pay or Not To Pay: What New Regulatory Activity Means for Ransomware Victims