A new Florida law prohibits state agencies and local governments from paying ransomware demands. It also requires annual employee cybersecurity training and other protective measures to secure their technology.
House Bill 7055, also known as the Local Government Cybersecurity Act, was signed into state law on June 24, 2022. An enhancement of existing law, it was prompted by increasing cyberattacks on government agencies in recent years. From counties and municipalities to water districts and sheriff’s offices, government entities are facing greater threats to their operations and data security.
The legislation, which took effect on July 1, covers several areas and involves coordination with the Florida Digital Service and the Department of Management Services. Here are the key highlights.
No More Ransom Payments
Local governments and state agencies may no longer pay or otherwise comply with a cybercriminal’s ransom demand. Such demands typically involve large sums of money but can also include gift cards or changes in policy.
Many IT experts agree that paying ransom only encourages hackers to formulate attacks. By establishing that government entities will never pay, the biggest motivation for cyberattacks is off the table. Another potential deterrent: The law establishes as a first-degree felony the willful and knowing execution of a ransomware attack on a government entity. While many attackers are from overseas, this should discourage inside threats and ransomware as a service (RaaS) bad actors.
Cybersecurity Training
The legislation mandates annual cybersecurity training to all state and local government employees with access to highly sensitive information. New employees must undergo this training within the first 30 days of their employment.
The curriculum for this training will be developed by the Florida Digital Service. Established in 2020, its mission is to deliver better government services and transparency to Floridians through design and technology. The training can be administered in collaboration with the state’s cybercrime office, a private sector entity, or at a State University System institution.
While the official curriculum is being developed, there are many training resources that can be leveraged today. Any quality cybersecurity training programs that include awareness on current and common threats and end-user testing will get you off to a good start.
Adoption of Cybersecurity Standards
As we all know, the best remedy for a cyberattack is preventing one in the first place. Government entities will have to adopt cybersecurity standards to protect its data, network, equipment and other technology resources. These standards must be consistent with generally accepted best practices from the National Institute of Standards and Technology (NIST).
The required adoption dates for these standards depend on the size and type of your entity:
- The deadline is Jan. 1, 2024 for counties with a population of 75,000 or greater and municipalities with a population of 25,000 or greater.
- The deadline is Jan. 1, 2025 for counties and municipalities falling under these thresholds.
Incident Classification and Notification
The Local Government Cybersecurity Act classifies five severity levels of cybersecurity incidents, with 5 being an emergency-level event and 1 being unlikely to impact public health and safety or governmental security. The levels are based on the National Cyber Incident Response Plan of the US Department of Homeland Security.
Cybersecurity incidents at level 3 or higher — as well as all ransomware incidents, regardless of level — must be reported to the proper authorities. This report must include information on the attack date, types of data compromised and financial impact. In the case of ransomware, the details of the ransom demanded are also required.
You’ll also need to file an additional after-action report within one week after the remediation of a cybersecurity or ransomware incident. This report will include a summary of the incident, the resolution and any insights gained. Complete guidelines for after-action reports will be established by the Florida Digital Service by Dec. 1, 2022.
What does this all mean for you?
First, the impact of this law will reach pretty far. The definition of “government entity” could mean a single official or officer. This could easily be extended to an official’s home computer if any government work has ever been conducted on it. So your cybersecurity efforts will need to cover a wide territory.
Second, time will be of the essence. Incident reports must be sent within 48 hours after a cybersecurity incident (within 12 hours if it’s ransomware). That’s a tight notification deadline. Without a reporting plan in place, it’ll be extremely difficult to compile all required information to submit on time.
The good news is that you’re probably already doing some of the work necessary to comply with the new law. Chances are you’ve already been doing data backups (and perhaps testing them) and keeping your antivirus tools updated. You might even be doing some training with some of your staff to help spot phishing emails and other dangers. Your next step is to push your efforts into the latest steps to protect your technology environment.
You will, however, have to make sure what you’re already doing is in compliance with homeland security standards. This is where an experienced technology consultant can help by:
- Making sure your entity’s user password policies, remote access policies, and account privileges and rights are in compliance
- Setting up and administering an annual training program
- Building or updating your emergency action plan based on the new guidelines
- Reviewing and testing your data backups as well as your disaster recovery and business continuity plans
- Ensuring your backups are air gapped from your production network and tested often
- Implementing advanced security measures to prevent ransomware attacks and other intrusions, such as an EDR, XDR or Zero Trust methodology
James Moore’s Technology Solutions Consulting team has been providing IT consulting services to local governments and private business for more than 30 years. We’re able to assist with meeting these requirements and combating the ever-evolving cyber threat landscape. We’re also watching for the release of the cybersecurity training curriculum and other developments regarding the Local Government Cybersecurity Act. Contact us to stay in compliance — and stay protected.
All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.
