We recently wrote about North Carolina’s new law prohibiting state agencies – including public schools and universities – from paying a ransom or even communicating with a threat actor following a ransomware incident. On June 24, Florida followed suit when its governor signed HB 7055 into law, amending portions of the State Cybersecurity Act (the Act), which became effective on July 1.
Among other things, the Act now requires that if a Florida state agency, county or municipality experiences a ransomware incident, it must provide notice to Florida’s Cybersecurity Operations Center and the Cybercrime Office of the Department of Law Enforcement (and in the case of a local government, to the sheriff with jurisdiction over that local government) within 12 hours of discovery. The report must include at least the following:
- A summary of the facts surrounding the incident.
- The date on which the agency most recently backed up its data, the physical location of the backup, whether the backup was encrypted by the ransomware and whether the backup was created using a cloud-based solution.
- The types of data compromised by the incident.
- The estimated fiscal impact of the incident.
- Details of the ransom demanded.
Given the difficulty of compiling this information within 12 hours in the midst of addressing a ransomware incident, Florida state agencies would be well advised to keep their backup schedule somewhere outside the network to prevent it from being inaccessible as a result of either the encryption itself or containment measures taken immediately following a ransomware incident.
Importantly, the updates to the Act also only prohibit a state agency, county or municipality experiencing a ransomware incident from paying or otherwise complying with a ransom demand. Unlike the North Carolina law, which proscribes state agencies from even “communicat[ing] with an entity that has engaged in a cybersecurity incident,” the Florida Act does not appear to prohibit a state agency, county or municipality from communicating with a ransomware threat actor in order to gain intelligence about the nature and scope of the attack or to delay the publication of stolen data.
Unlike North Carolina’s law, Florida’s law appears to exclude public school districts and universities from the list of public entities that are prohibited from paying a ransom. The Act defines the term “state agency” as any official, officer, commission, board, authority, council, committee or department of the executive branch of state government; the Justice Administrative Commission; the Public Service Commission; the Department of Legal Affairs; the Department of Agriculture and Consumer Services; and the Department of Financial Services. Although some questions remain about the nature and scope of Florida’s law prohibiting state agencies from paying ransoms to cybercriminals, the recently passed laws in North Carolina and Florida appear to mark a growing trend in which states prohibit public entities from paying ransoms. In the coming months, we expect to see similar laws introduced and/or passed in several additional states. As such, it is imperative that public entities take proactive measures to reduce their cybersecurity risks and position themselves to recover from cybersecurity incidents without the need to purchase a decrypter. Such measures include, but are not limited to, implementing multifactor authentication, deploying an endpoint detection and response tool throughout the entity’s environment, regularly creating system backups, and keeping those backups separate from the system itself.