Florida Senate - 2022 SB 1670
By Senator Hutson
7-01444A-22 20221670__
1 A bill to be entitled
2 An act relating to cybersecurity; amending s. 252.351,
3 F.S.; requiring specified entities to report certain
4 computer attacks to the State Watch Office within the
5 Division of Emergency Management; creating s.
6 282.3185, F.S.; defining terms; requiring local
7 governments to adopt certain cybersecurity standards
8 by a specified date; requiring local governments to
9 report certain information to the Florida Digital
10 Service; requiring local governments to conduct
11 vulnerability testing at certain intervals; requiring
12 certain local government employees and persons to
13 undergo specified training; requiring the Florida
14 Digital Service and the Florida Cybersecurity Advisory
15 Council to develop training requirements and conduct
16 training at certain intervals; requiring state
17 agencies and local governments to report certain
18 incidents to specified entities within specified time
19 periods; requiring a report on certain incidents to be
20 submitted to the Florida Cybersecurity Advisory
21 Council; prohibiting local governments from paying a
22 ransom before communicating with specified entities;
23 requiring the Florida Digital Service to create a
24 specified checklist; amending s. 815.06, F.S.;
25 defining the term “ransomware”; prohibiting specified
26 offenses concerning ransomware; providing criminal
27 penalties; providing for disposition of fines for such
28 offenses; providing an appropriation; providing an
29 effective date.
30
31 Be It Enacted by the Legislature of the State of Florida:
32
33 Section 1. Subsection (2) of section 252.351, Florida
34 Statutes, is amended, to read:
35 252.351 Mandatory reporting of certain incidents by
36 political subdivisions.—
37 (2) The division shall create and maintain a list of
38 reportable incidents. The list shall include, but is not limited
39 to, the following events:
40 (a) Major fires, including wildfires, commercial or
41 multiunit residential fires, or industrial fires.
42 (b) Search and rescue operations, including structure
43 collapses or urban search and rescue responses.
44 (c) Bomb threats or threats to inflict harm on a large
45 number of people or significant infrastructure, suspicious
46 devices, or device detonations.
47 (d) Natural hazards and severe weather, including
48 earthquakes, landslides, or ground subsidence or sinkholes.
49 (e) Public health and population protective actions,
50 including public health hazards, evacuation orders, or emergency
51 shelter openings.
52 (f) Animal or agricultural events, including suspected or
53 confirmed animal diseases, suspected or confirmed agricultural
54 diseases, crop failures, or food supply contamination.
55 (g) Environmental concerns, including an incident of
56 reportable pollution release as required in s. 403.077(2).
57 (h) Nuclear power plant events, including events in process
58 or that have occurred which indicate a potential degradation of
59 the level of safety of the plant or which indicate a security
60 threat to facility protection.
61 (i) Major transportation events, including aircraft or
62 airport incidents, passenger or commercial railroad incidents,
63 major road or bridge closures, or marine incidents involving a
64 blocked navigable channel of a major waterway.
65 (j) Major utility or infrastructure events, including dam
66 failures or overtopping, drinking water facility breaches, or
67 major utility outages or disruptions involving transmission
68 lines or substations.
69 (k) Military events, when information regarding such
70 activities is provided to a political subdivision.
71 (l) Attacks on a computer or network of a local government,
72 as defined in s. 215.89(2)(c), or a hospital, as defined in s.
73 395.002(13), including ransomware attacks and data breaches.
74 Section 2. Section 282.3185, Florida Statutes, is created
75 to read:
76 282.3185 Local governments; cybersecurity.—
77 (1) As used in this section, the term:
78 (a) “Local government” has the same meaning as provided in
79 s. 215.89(2)(c).
80 (b) “Ransomware” has the same meaning as provided in s.
81 815.06(1).
82 (2)(a) By January 1, 2024, each local government must adopt
83 cybersecurity standards for all information technology and
84 operational technology which comply with the National Institute
85 of Standards and Technology cybersecurity framework that is
86 appropriate for the size of the organization. Redundancies such
87 as routine backups of critical information and multifactor
88 authentication must be required as part of these standards. A
89 local government shall report its standards to the Florida
90 Digital Service.
91 (b) Each local government must conduct vulnerability
92 testing of its information technology and operational technology
93 not less than every 2 years.
94 (3)(a) Each local government employee with access to a
95 local government network must receive training when he or she
96 begins employment and at intervals thereafter, as specified by
97 the Florida Digital Service which, at a minimum, addresses
98 phishing and digital hygiene.
99 (b) All local government technology professionals and
100 persons with access to highly sensitive information shall be
101 required to undergo intensive cybersecurity training.
102 (c) The Florida Digital Service and the Florida
103 Cybersecurity Advisory Council shall develop the training
104 requirements and conduct each training virtually at certain
105 times of the year.
106 (4) All state agencies, as defined in s. 282.602(6), and
107 local governments shall report all cybersecurity and ransomware
108 incidents to the State Watch Office, the Florida Digital
109 Service, the Executive Office of the Governor, the Department of
110 Law Enforcement, and local law enforcement agencies within 12
111 hours of discovery. The state chief information officer and the
112 Florida Cybersecurity Advisory Council will directly advise the
113 Governor on the event. Once a cybersecurity or ransomware
114 incident has concluded, a report must be submitted to the
115 Florida Cybersecurity Advisory Council which summarizes the
116 incident, how the incident was resolved, and lessons learned.
117 (5)(a) If a ransomware incident or cyber extortion incident
118 has occurred, a local government may not pay ransom before
119 communicating with the Florida Digital Service and the local law
120 enforcement agencies.
121 (b) The Florida Digital Service shall create a ransomware
122 checklist for local governments which lists the factors a local
123 government must consider before paying a ransom.
124 Section 3. Present subsections (5) through (9) of section
125 815.06, Florida Statutes, are redesignated as subsections (6)
126 through (10), respectively, subsection (1) is amended, a new
127 subsection (5) is added to that section, and subsection (2) is
128 republished, to read:
129 815.06 Offenses against users of computers, computer
130 systems, computer networks, and electronic devices.—
131 (1) As used in this section, the term:
132 (a)1. “Ransomware” means a computer contaminant or lock
133 placed or introduced without authorization into a computer,
134 computer system, computer network, or electronic device which
135 does any of the following:
136 a. Restricts access by an authorized person to the
137 computer, computer system, computer network, or electronic
138 device or to any data held by the computer, computer system,
139 computer network, or electronic device under circumstances in
140 which the person responsible for the placement or introduction
141 of the computer contaminant or lock demands payment of money or
142 other consideration to:
143 (I) Remove the computer contaminant or lock;
144 (II) Restore access to the computer, computer system,
145 computer network, electronic device, or data; or
146 (III) Otherwise remediate the impact of the computer
147 contaminant or lock; or
148 b. Transforms data held by the computer, computer system,
149 or computer network, or electronic device into a form in which
150 the data is rendered unreadable or unusable without the use of a
151 confidential process or key.
152 2. The term does not include authentication required to
153 upgrade or access purchased content or the blocking of access to
154 subscription content in the case of nonpayment for the access.
155 (b) “User” means a person with the authority to operate or
156 maintain a computer, computer system, computer network, or
157 electronic device.
158 (2) A person commits an offense against users of computers,
159 computer systems, computer networks, or electronic devices if he
160 or she willfully, knowingly, and without authorization or
161 exceeding authorization:
162 (a) Accesses or causes to be accessed any computer,
163 computer system, computer network, or electronic device with
164 knowledge that such access is unauthorized or the manner of use
165 exceeds authorization;
166 (b) Disrupts or denies or causes the denial of the ability
167 to transmit data to or from an authorized user of a computer,
168 computer system, computer network, or electronic device, which,
169 in whole or in part, is owned by, under contract to, or operated
170 for, on behalf of, or in conjunction with another;
171 (c) Destroys, takes, injures, or damages equipment or
172 supplies used or intended to be used in a computer, computer
173 system, computer network, or electronic device;
174 (d) Destroys, injures, or damages any computer, computer
175 system, computer network, or electronic device;
176 (e) Introduces any computer contaminant into any computer,
177 computer system, computer network, or electronic device; or
178 (f) Engages in audio or video surveillance of an individual
179 by accessing any inherent feature or component of a computer,
180 computer system, computer network, or electronic device,
181 including accessing the data or information of a computer,
182 computer system, computer network, or electronic device that is
183 stored by a third party.
184 (5)(a)1. A person who places ransomware in a computer,
185 computer system, computer network, or electronic device commits
186 a felony of the first degree, punishable as provided in s.
187 775.082 or s. 775.084, and shall be assessed a fine equal to or
188 twice the amount of ransom demanded in the attack or the maximum
189 fine provided under s. 775.083, whichever is greater.
190 2. Notwithstanding any other law, fines collected under
191 this subsection must be distributed as follows:
192 a. Half of the fine must be provided to the Florida Digital
193 Service to be used for cybersecurity operations.
194 b. Half of the fine must be divided equally among law
195 enforcement agencies and private entities or individuals who
196 aided in the apprehension and conviction of the defendant.
197 (b) An employee or a contractor of the government of this
198 state or a local government, as defined in s. 215.89(2)(c), who
199 knowingly and intentionally provides access to a person who
200 commits a violation of:
201 1. Subsection (2); or
202 2. This subsection,
203
204 commits a felony of the third degree, punishable as provided in
205 s. 775.082, s. 775.083, or s. 775.084.
206 Section 4. For the 2022-2023 fiscal year, the sum of $1
207 million in nonrecurring funds is appropriated to the Florida
208 Digital Service, which shall disburse the funds to local
209 governments for the training required under s. 282.3185(3),
210 Florida Statutes.
211 Section 5. This act shall take effect July 1, 2022.