What Does Florida HB 7055 Mean for Ransomware Attacks?

When the city of Baltimore faced a ransomware attack back in 2019, they faced two choices. Agree to pay the hackers to release their hijacked systems or refuse and turn to outside help to recover. Baltimore chose the second option. While many would agree with the idea of never giving in to any ransom demand, the decision came at a cost. Baltimore ended up spending over $10 million to get their city accounts back, $10 million more than the $76,280 asked for by the hijackers.

Some might say that not paying saved Baltimore from becoming a more frequent attack target. Either way, the choice was up to the city. With HB 7055, a Florida bill passed on July 1, 2022, agencies and local governments in the Sunshine State will no longer have the option of paying out a ransom. How will this impact local Florida governments, and how many are prepared to set up the kind of cybersecurity protections necessary to protect themselves?

What is HB 7055?

Florida HB 7055 is a set of amendments to Florida’s State Cybersecurity Act that establishes requirements around how state agencies and local governments report and respond to cybersecurity incidents. It specifically prohibits agencies from giving in to payment demands from hackers. This bill may have been spurred by similar experiences like that of the Florida city of Riviera Beach.

Like Baltimore, Riviera Beach was hit by a ransomware attack in 2019. Unlike Baltimore officials, Riviera Beach’s city council agreed to pay a $600,000 ransom to release their paralyzed systems. As a result of the incident, Riviera Beach invested almost a million dollars in upgrading its hardware to eliminate the vulnerabilities exploited by cyber hijackers.

Riviera Beach was by no means an outlier. Whether through older technology or limited resources, many cities around the US might be underprepared when it comes to protecting their data and systems. It can be as simple as a single person opening one malicious email to shut down city services and cause millions in damages.

Without the ransom payment that led to the release of Riviera Beach’s systems, how much more damage could the hackers have caused? Suppose officials in cities like Baltimore or Riviera Beach had been able to invest in their IT and security posture sooner? In that case, protection could have been in place to stop and contain the malicious software before it could wreak havoc.

How is Ransomware Defined Under Florida HB 7055?

The Florida ransomware bill defines a ransomware incident as one where a person or entity uses software to infiltrate the data of a state agency, municipality, or county. Once they gain access, the person or entity asks for a ransom in return for one or more of the following:

• Not publishing the data
• Restoring access to the data
• Reversing any negative impacts of the incident

Any unauthorized intrusion that results in stolen data and subsequent demands is considered a ransomware incident. The hacker doesn’t have to use tools or files when attempting.

How Are Cybersecurity Incident Severity Levels Defined in Florida HB 7055?

The Florida cybersecurity legislation enforces strict requirements around reporting cyberattacks where attackers don’t use ransomware. How fast agencies, city, and county officials must notify state authorities about attacks depends on the severity of the incident. The U.S. Department of Homeland Security established severity levels around cybersecurity attacks which got added to Florida HB 7055 as amendments.

Level 1

Level one incidents are assigned to low-priority incidents unlikely to impact the public, the economy, or security at the local, state, or national level.

Level 2

Level two incidents are medium-level impacts with the potential to impact the public, the economy, or security at the local, state, or national level.

Level 3

Level three incidents are considered high-level occurrences. Attacks assigned to this level could significantly affect the public, the economy, or security at the local, state, or national level.

Level 4

Level four incidents are severe occurrences that would significantly impact the public, the economy, or security at the local, state, or national level.

Level 5

Level five incidents prevent an imminent threat to the ability of authorities to offer critical infrastructure services. They also impact local, state, and national security or the lives of residents.

What Are the Direct Impacts on Florida Cities?

State agencies and local governments are now subject to the following requirements under the updated Florida cybersecurity bill.

• They must report cybersecurity incidents or ransomware attacks to the Florida Department of Law Enforcement Cybersecurity Office and the Cybersecurity Operations center within 48 hours of the event.
• They must submit post-action reports to the Department of Law Enforcement after a cybersecurity incident.
• They must not comply with or pay any ransom demands.
• They must provide cybersecurity training for all employees within 30 days of being hired and annually.
• They must adopt cybersecurity standards around safeguarding IT infrastructure, resources, and organizational data.

What Are the New Cybersecurity Standards FL Cities Must Achieve?

While the requirements aren’t yet fully defined, having the appropriate training programs, compliance procedures, and active cyber-defense processes in place will be a must. With NIST cyber frameworks are referenced, digging into the statue changes tells us that the following will be required:

• Asset management and classification
• Risk assessment methodology (support risk decisioning)
• Comprehensive risk assessments w/ ongoing cybersecurity audits (by private sector vendor)
• Information, data, and IT protection procedures
• Data confidentiality, integrity, and availability procedures
• Active threat detection procedures (SOC, SEIM)
• Established Incident Response teams
• Information recovery, may include recommended improvements
• Incident reporting process w/ L1-5 ranking
• Implement and submit after-action reports

Florida HB 7055 also expands the responsibilities of the Cybersecurity Advisory Council to cover the following:

• Offering cybersecurity advice to local governments
• Reviewing reports of cybersecurity incidents to develop best practices and recommendations
• Submit an annual ransomware report to the state legislature and the Governor

Frequently Asked Questions

Does Florida HB 7055 apply to colleges and universities?

• As of now, state universities do not fall under the definition of a state agency.

How can the notification requirement negatively affect local officials and state agencies?

• With the right security infrastructures, agencies might be able to collect the necessary information to report to the state. Those same inefficiencies could impact their ability to respond to attacks and provide a thorough post-incident report.

Get Compliant With Florida HB 7055

The City of Weston recognized that they were not adequately equipped to handle the technological challenges of the current online environment. Officials invested in building an efficient, secure, stable technology stack. The city didn’t want to wait until it became another ransomware headline before taking proactive action. Read more about how R2 Unified Technologies (R2UT) helped Weston modernize its IT in our case study.

R2UT understands what it takes to update local and state IT infrastructure to combat cybersecurity threats and comply with state legislation. Learn more about how we can help you rebuild your technology stack and protect yourself against threats by contacting us here.