Florida Senate - 2022                                    SB 1670
       By Senator Hutson
       7-01444A-22                                           20221670__
    1                        A bill to be entitled                      
    2         An act relating to cybersecurity; amending s. 252.351,
    3         F.S.; requiring specified entities to report certain
    4         computer attacks to the State Watch Office within the
    5         Division of Emergency Management; creating s.
    6         282.3185, F.S.; defining terms; requiring local
    7         governments to adopt certain cybersecurity standards
    8         by a specified date; requiring local governments to
    9         report certain information to the Florida Digital
   10         Service; requiring local governments to conduct
   11         vulnerability testing at certain intervals; requiring
   12         certain local government employees and persons to
   13         undergo specified training; requiring the Florida
   14         Digital Service and the Florida Cybersecurity Advisory
   15         Council to develop training requirements and conduct
   16         training at certain intervals; requiring state
   17         agencies and local governments to report certain
   18         incidents to specified entities within specified time
   19         periods; requiring a report on certain incidents to be
   20         submitted to the Florida Cybersecurity Advisory
   21         Council; prohibiting local governments from paying a
   22         ransom before communicating with specified entities;
   23         requiring the Florida Digital Service to create a
   24         specified checklist; amending s. 815.06, F.S.;
   25         defining the term “ransomware”; prohibiting specified
   26         offenses concerning ransomware; providing criminal
   27         penalties; providing for disposition of fines for such
   28         offenses; providing an appropriation; providing an
   29         effective date.
   31  Be It Enacted by the Legislature of the State of Florida:
   33         Section 1. Subsection (2) of section 252.351, Florida
   34  Statutes, is amended, to read:
   35         252.351 Mandatory reporting of certain incidents by
   36  political subdivisions.—
   37         (2) The division shall create and maintain a list of
   38  reportable incidents. The list shall include, but is not limited
   39  to, the following events:
   40         (a) Major fires, including wildfires, commercial or
   41  multiunit residential fires, or industrial fires.
   42         (b) Search and rescue operations, including structure
   43  collapses or urban search and rescue responses.
   44         (c) Bomb threats or threats to inflict harm on a large
   45  number of people or significant infrastructure, suspicious
   46  devices, or device detonations.
   47         (d) Natural hazards and severe weather, including
   48  earthquakes, landslides, or ground subsidence or sinkholes.
   49         (e) Public health and population protective actions,
   50  including public health hazards, evacuation orders, or emergency
   51  shelter openings.
   52         (f) Animal or agricultural events, including suspected or
   53  confirmed animal diseases, suspected or confirmed agricultural
   54  diseases, crop failures, or food supply contamination.
   55         (g) Environmental concerns, including an incident of
   56  reportable pollution release as required in s. 403.077(2).
   57         (h) Nuclear power plant events, including events in process
   58  or that have occurred which indicate a potential degradation of
   59  the level of safety of the plant or which indicate a security
   60  threat to facility protection.
   61         (i) Major transportation events, including aircraft or
   62  airport incidents, passenger or commercial railroad incidents,
   63  major road or bridge closures, or marine incidents involving a
   64  blocked navigable channel of a major waterway.
   65         (j) Major utility or infrastructure events, including dam
   66  failures or overtopping, drinking water facility breaches, or
   67  major utility outages or disruptions involving transmission
   68  lines or substations.
   69         (k) Military events, when information regarding such
   70  activities is provided to a political subdivision.
   71         (l)Attacks on a computer or network of a local government,
   72  as defined in s. 215.89(2)(c), or a hospital, as defined in s.
   73  395.002(13), including ransomware attacks and data breaches.
   74         Section 2. Section 282.3185, Florida Statutes, is created
   75  to read:
   76         282.3185Local governments; cybersecurity.—
   77         (1)As used in this section, the term:
   78         (a)“Local government” has the same meaning as provided in
   79  s. 215.89(2)(c).
   80         (b)“Ransomware” has the same meaning as provided in s.
   81  815.06(1).
   82         (2)(a)By January 1, 2024, each local government must adopt
   83  cybersecurity standards for all information technology and
   84  operational technology which comply with the National Institute
   85  of Standards and Technology cybersecurity framework that is
   86  appropriate for the size of the organization. Redundancies such
   87  as routine backups of critical information and multifactor
   88  authentication must be required as part of these standards. A
   89  local government shall report its standards to the Florida
   90  Digital Service.
   91         (b)Each local government must conduct vulnerability
   92  testing of its information technology and operational technology
   93  not less than every 2 years.
   94         (3)(a)Each local government employee with access to a
   95  local government network must receive training when he or she
   96  begins employment and at intervals thereafter, as specified by
   97  the Florida Digital Service which, at a minimum, addresses
   98  phishing and digital hygiene.
   99         (b)All local government technology professionals and
  100  persons with access to highly sensitive information shall be
  101  required to undergo intensive cybersecurity training.
  102         (c)The Florida Digital Service and the Florida
  103  Cybersecurity Advisory Council shall develop the training
  104  requirements and conduct each training virtually at certain
  105  times of the year.
  106         (4)All state agencies, as defined in s. 282.602(6), and
  107  local governments shall report all cybersecurity and ransomware
  108  incidents to the State Watch Office, the Florida Digital
  109  Service, the Executive Office of the Governor, the Department of
  110  Law Enforcement, and local law enforcement agencies within 12
  111  hours of discovery. The state chief information officer and the
  112  Florida Cybersecurity Advisory Council will directly advise the
  113  Governor on the event. Once a cybersecurity or ransomware
  114  incident has concluded, a report must be submitted to the
  115  Florida Cybersecurity Advisory Council which summarizes the
  116  incident, how the incident was resolved, and lessons learned.
  117         (5)(a)If a ransomware incident or cyber extortion incident
  118  has occurred, a local government may not pay ransom before
  119  communicating with the Florida Digital Service and the local law
  120  enforcement agencies.
  121         (b)The Florida Digital Service shall create a ransomware
  122  checklist for local governments which lists the factors a local
  123  government must consider before paying a ransom.
  124         Section 3. Present subsections (5) through (9) of section
  125  815.06, Florida Statutes, are redesignated as subsections (6)
  126  through (10), respectively, subsection (1) is amended, a new
  127  subsection (5) is added to that section, and subsection (2) is
  128  republished, to read:
  129         815.06 Offenses against users of computers, computer
  130  systems, computer networks, and electronic devices.—
  131         (1) As used in this section, the term:
  132         (a)1.“Ransomware” means a computer contaminant or lock
  133  placed or introduced without authorization into a computer,
  134  computer system, computer network, or electronic device which
  135  does any of the following:
  136         a.Restricts access by an authorized person to the
  137  computer, computer system, computer network, or electronic
  138  device or to any data held by the computer, computer system,
  139  computer network, or electronic device under circumstances in
  140  which the person responsible for the placement or introduction
  141  of the computer contaminant or lock demands payment of money or
  142  other consideration to:
  143         (I)Remove the computer contaminant or lock;
  144         (II)Restore access to the computer, computer system,
  145  computer network, electronic device, or data; or
  146         (III)Otherwise remediate the impact of the computer
  147  contaminant or lock; or
  148         b.Transforms data held by the computer, computer system,
  149  or computer network, or electronic device into a form in which
  150  the data is rendered unreadable or unusable without the use of a
  151  confidential process or key.
  152         2.The term does not include authentication required to
  153  upgrade or access purchased content or the blocking of access to
  154  subscription content in the case of nonpayment for the access.
  155         (b) “User” means a person with the authority to operate or
  156  maintain a computer, computer system, computer network, or
  157  electronic device.
  158         (2) A person commits an offense against users of computers,
  159  computer systems, computer networks, or electronic devices if he
  160  or she willfully, knowingly, and without authorization or
  161  exceeding authorization:
  162         (a) Accesses or causes to be accessed any computer,
  163  computer system, computer network, or electronic device with
  164  knowledge that such access is unauthorized or the manner of use
  165  exceeds authorization;
  166         (b) Disrupts or denies or causes the denial of the ability
  167  to transmit data to or from an authorized user of a computer,
  168  computer system, computer network, or electronic device, which,
  169  in whole or in part, is owned by, under contract to, or operated
  170  for, on behalf of, or in conjunction with another;
  171         (c) Destroys, takes, injures, or damages equipment or
  172  supplies used or intended to be used in a computer, computer
  173  system, computer network, or electronic device;
  174         (d) Destroys, injures, or damages any computer, computer
  175  system, computer network, or electronic device;
  176         (e) Introduces any computer contaminant into any computer,
  177  computer system, computer network, or electronic device; or
  178         (f) Engages in audio or video surveillance of an individual
  179  by accessing any inherent feature or component of a computer,
  180  computer system, computer network, or electronic device,
  181  including accessing the data or information of a computer,
  182  computer system, computer network, or electronic device that is
  183  stored by a third party.
  184         (5)(a)1.A person who places ransomware in a computer,
  185  computer system, computer network, or electronic device commits
  186  a felony of the first degree, punishable as provided in s.
  187  775.082 or s. 775.084, and shall be assessed a fine equal to or
  188  twice the amount of ransom demanded in the attack or the maximum
  189  fine provided under s. 775.083, whichever is greater.
  190         2.Notwithstanding any other law, fines collected under
  191  this subsection must be distributed as follows:
  192         a. Half of the fine must be provided to the Florida Digital
  193  Service to be used for cybersecurity operations.
  194         b.Half of the fine must be divided equally among law
  195  enforcement agencies and private entities or individuals who
  196  aided in the apprehension and conviction of the defendant.
  197         (b)An employee or a contractor of the government of this
  198  state or a local government, as defined in s. 215.89(2)(c), who
  199  knowingly and intentionally provides access to a person who
  200  commits a violation of:
  201         1.Subsection (2); or
  202         2.This subsection,
  204  commits a felony of the third degree, punishable as provided in
  205  s. 775.082, s. 775.083, or s. 775.084.
  206         Section 4. For the 2022-2023 fiscal year, the sum of $1
  207  million in nonrecurring funds is appropriated to the Florida
  208  Digital Service, which shall disburse the funds to local
  209  governments for the training required under s. 282.3185(3),
  210  Florida Statutes.
  211         Section 5. This act shall take effect July 1, 2022.