By Janette M. Smith, City, County and Local Government Law Section Chair of the Florida Bar
With the increasing reliance on technology and the growing threat of cyber attacks, phishing, ransomware, and other cyber intrusions, governments have been taking proactive steps to strengthen their cyber security and data privacy measures. Florida has recently enacted several laws to address these issues and protect the privacy and security of its residents’ information. In this article, we will provide an overview of the most recent laws in Florida related to cyber security and data privacy.
House Bill 7055 and House Bill 7057 were signed into law in 2022 to tackle cyber security and ransomware incidents, to protect the public, and ensure the security of government systems and data.
House Bill 7055 aims to strengthen the cyber security measures of state agencies and local governments in Florida. It establishes a comprehensive framework for managing and mitigating cyber security risks, including the use of best practices for information technology security, risk assessments, and incident response plans. The bill requires state agencie and local governments to regularly update their cyber security measures to adapt to evolving threats and vulnerabilities. One of the key provisions of House Bill 7055 is the establishment of a cybersecurity strategic plan. This plan requires the Florida Department of Management Services, acting through the Florida Digital Service, to develop and implement a strategic plan that outlines the state’s overall approach to cyber security. Each local government entity is required to adopt cybersecurity standards that safeguard its data, information technology, and information technology resources to ensure availability, confidentiality, and integrity. The plan must address various aspects of cyber security, including risk management, incident response, training and education, and coordination among state agencies and local governments. This plan must be ready by January 1, 2024, for counties with a population greater than 75,000 and for cities with a population greater than 25,000. The deadline is January 1, 2025, for all other counties and cities with a population less than above. Additionally, the Department of Management Services will be required to conduct regular audits of state agencies and local governments to assess their compliance with the strategic plan.
House Bill 7055 also emphasizes the importance of training and education in cyber security. It requires state agencies and local governments to provide regular training to their employees on cyber security best practices and incident response protocols. The bill also encourages partnerships between government agencies, educational institutions, and private organizations to promote cybersecurity awareness and education across the state. Furthermore, House Bill 7055 addresses the issue of ransomware payments. Section 282.3186, Florida Statutes, states a county or a municipality experiencing a ransomware incident may not pay or otherwise comply with a ransom demand. State agencies and local governments may not use public funds to pay for ransomware demands. This provision is intended to discourage the payment of ransoms, which can perpetuate cyber-attacks and incentivize cyber criminals.
House Bill 7057, titled “Public Records and Meetings/Cybersecurity,” focuses on the handling of public records and meetings in the context of cybersecurity and ransomware incidents. The bill acknowledges that cyber-attacks can compromise the confidentiality, integrity, and availability of public records and meetings, posing a significant threat to transparency and accountability in government operations.
This bill also requires state agencies and local governments to develop and implement cybersecurity protocols for the protection of public records and meetings. This bill creates a public records exemption related to cybersecurity. Specifically, the bill makes confidential and exempt from public record requirements, (1) cybersecurity insurance coverage limits and deductible self-insurance amounts, (2) information related to critical infrastructure, and (3) network schematics, hardware and software configurations, or encryption information or information that identifies detection, investigation, or response practices for suspected or confirmed cybersecurity incidents. In addition to the public records exemption, any portion of a meeting that might reveal such information is exempt from public meeting requirements. See Section 119.0725, Florida Statutes.
In addition to House Bill 7055 and House Bill 7057 discussed above, there are many other new laws that should be considered for the protection of personal information and data privacy. The Florida Information Protection Act (FIPA) was signed into law in June 2021 and is aimed at enhancing the protection of personal information and data privacy. FIPA expands the requirements for businesses that collect and store the personal information of Florida residents, and it includes provisions related to data breach notification, security measures, and consumer rights. (See House Bill 969, Chapter 2021-158, Laws of Florida.) Some of the key provisions of FIPA:
Data Breach Notification: FIPA mandates that businesses notify affected individuals within 30 days of discovering a data breach that compromises their personal information unless there is no reasonable risk of harm. Additionally, businesses must notify the Florida Department of Legal Affairs if a data breach affects 500 or more individuals. See Section 501.171(3), Florida Statutes.
Security Measures: FIPA requires businesses to implement reasonable measures to protect personal information, including the use of encryption for sensitive data and proper disposal of records containing personal information. See Section 501.171(2), Florida Statutes.
Consumer Rights: FIPA provides consumers with the right to request and obtain access to their personal information held by businesses, as well as the right to request the deletion of their personal information. See Section 501.171(6), Florida Statutes.
These new laws highlight the importance of proactive risk management, incident response planning, and employee training to effectively mitigate the risks associated with cyber-attacks, ransomware incidents and securing data privacy.
For additional information, please contact Janette Smith at jsmith@florida-law.com.