The Florida Senate
BILL ANALYSIS AND FISCAL IMPACT STATEMENT
(This document is based on the provisions contained in the legislation as of the latest date listed below.)
Prepared By: The Professional Staff of the Committee on Appropriations
BILL: CS/CS/SB 1670
INTRODUCER: Appropriations Committee; Military and Veterans Affairs, Space, and Domestic Security
Committee; and Senator Hutson
SUBJECT: Cybersecurity
DATE: March 2, 2022 REVISED:
ANALYST STAFF DIRECTOR REFERENCE ACTION
1. Lloyd Caldwell MS Fav/CS
2. Hunter Sadberry AP Fav/CS
Please see Section IX. for Additional Information:
COMMITTEE SUBSTITUTE - Substantial Changes
I. Summary:
CS/CS/SB 1670 modifies cybersecurity training and reporting standards for state agencies and
local governments.
The State Cybersecurity Act requires the Florida Digital Service (FLDS) and the heads of state
agencies to meet certain requirements to enhance the cybersecurity of state agencies. Currently,
state agencies must provide cybersecurity training to their employees, report cybersecurity
incidents, and adopt cybersecurity standards. However, there are no such requirements for
counties and municipalities (local governments).
Current law regarding state or local government cybersecurity does not specifically address
ransomware, which is a form of malware designed to encrypt files on a device, rendering any
files unusable. Malicious actors then demand ransom in exchange for decryption.
The bill prohibits state agencies and local governments from paying or otherwise complying with
a ransomware incident.
The bill defines the severity level of a cybersecurity incident in accordance with the National
Cyber Incident Response Plan. State agencies and local governments must report all ransomware
incidents and high severity level cybersecurity incidents to the Cybersecurity Operations Center
(CSOC) and the Cybercrime Office within the Florida Department of Law Enforcement as soon
as possible but no later than a time certain. Local governments must also report to the sheriff.
BILL: CS/CS/SB 1670 Page 2
The bill requires state agencies to report low level cybersecurity incidents and provides that local
governments may report such incidents. The bill also requires state agencies and local
governments to submit after-action reports to the FLDS following a cybersecurity or ransomware
incident.
The bill requires the CSOC to notify the Legislature of high severity level cybersecurity
incidents. The notice must contain a high-level overview of the incident and its likely effects. In
addition, the CSOC must provide the Legislature and the Cybersecurity Advisory Council (CAC)
with a consolidated incident report on a quarterly basis.
The bill requires state agency and local government employees to undergo certain cybersecurity
training within 30 days of employment and annually thereafter.
The bill requires local governments to adopt cybersecurity standards that safeguard the local
government’s data, information technology (IT), and IT resources.
The bill expands the purpose of the CAC to include advising local governments on cybersecurity
and requires the CAC to examine reported cybersecurity and ransomware incidents to develop
best practice recommendations. The CAC must submit an annual comprehensive report
regarding ransomware to the Governor and Legislature.
The bill establishes penalties and fines for certain ransomware offenses against a government
entity.
The bill will likely have a negative fiscal impact on state and local government expenditures;
however, the bill may also have a positive fiscal impact on the state due to the punitive fine
established in the bill. See Fiscal Analysis & Economic Impact Statement.
The bill’s effective date is July 1, 2022.
II. Present Situation:
General Background
Ransomware is a form of malware1 that is used by malicious actors to encrypt files on devices,
networks, or computer systems, rendering the files on those systems unusable. The malicious
actors then demand ransom in exchange for decryption or the return of an individual’s or an
organization’s files. Ransomware actors will also often threaten to sell or leak the data or
information if the demanded ransom is not paid.
The number of ransomware incidents continues to rise, with 2,474 incidents reported with
adjusted losses of over $29.1 million,2 a figure that is likely under-inclusive, as technology
1
“Malware” means hardware, firmware, or software that is intentionally included or inserted in a system for a harmful
purpose. See https://csrc.nist.gov/glossary/term/malware (last visited Feb. 4, 2022).
2
Federal Bureau of Investigation, Internet Crime Complaint Center, 2020 Internet Crime Report, Business Email
Compromise (BEC), p.14, available at https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf (last visited
Feb. 2, 2022).
BILL: CS/CS/SB 1670 Page 3
experts believe that many ransomware attacks go unreported out of embarrassment by victims
who decline to report. In its reporting, the Federal Bureau of Investigation (FBI) formally
describes ransomware as:
A type of malicious software, or malware, that encrypts data on a
computer making it unusable. A malicious cybercriminal holds the data
hostage until the ransom is paid. If the ransom is not paid, the victim’s
data remains unavailable. Cyber criminals may also pressure victims to
pay the ransom by threatening to destroy the victim’s data or to release it
to the public.3
The Internet Crime Complaint Center (IC3), housed within the FBI received a record number of
complaints from the American public in 2020: 791,790, with the reported losses attached to those
complaints exceeding $4.1 billion.4 This represents a 69 percent increase in total complaints
from 2019.
Recent ransomware attacks that impacted the American economy include:
 The Colonial Pipeline shutdown in May 2021, which disrupted the flow of refined gasoline
and jet fuel through 5,500 miles of pipeline from Texas to New York.5
o Colonial supplied 45 percent of the East Coast’s fuel supply.
o As a private company, Colonial had no duty to report; however, the FBI and federal
investigative agencies at the time did confirm involvement in the investigation.6
o A ransom of 75 Bitcoin was paid a day after Colonial’s network system was breached,
and a total ransom, which was the equivalent of nearly $5 million in cryptocurrency was
eventually paid for the software decryption key to unlock its networks.7
 JBS, the world’s largest meat processing plant, was hit by a ransomware attack in June
2021:8
o The plant is responsible for supplying one quarter of America’s beef.9
o The likely Russian-based hackers threatened disruption or deletion of network files
unless a ransom was paid.
o Ultimately, JBS paid a ransom in Bitcoin of $11 million to resolve the cyberattack.10
Specifically, in Florida, recent cybersecurity and ransomware incidents include:
 A February 2021 intrusion into the City of Oldsmar’s water system. The remote hacker
briefly increased the amount of sodium hydroxide (lye) from 100 parts per million to 11,100
3
Id.
4
Id, p.3.
5
David E. Sanger, et al, Cyberattack forces a shutdown of a top U.S. Pipeline, THE NEW YORK TIMES (May 13, 2021)
available at https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html (last visited Feb. 2, 2022).
6
Id.
7, 8, 9
Associated Press, Colonial Pipeline confirms it paid $4.4m to hacker gang after attack (May 19, 2021), THE GUARDIAN,
available at https://www.theguardian.com/technology/2021/may/19/colonial-pipeline-cyber-attack-ransom (last visited
Jan. 23, 2022).
8
JBS: Cyber-Attack hits world’s largest meat supplier, BBC.COM, available at https://www.bbc.com/news/world-us-canada-
57318965 (last visited Jan. 22, 2022).
9
Id.
10
Meat Giant JBS pays $11m in ransom to resolve cyberattack, BBC.COM, available at https://www.bbc.com/news/business-
57423008 (last visited Jan. 23, 2022).
BILL: CS/CS/SB 1670 Page 4
parts per million, more than 100 times the normal level. The increased amount was caught
before the public was harmed.
 The St. Lucie County’s Sheriff’s Department was hit by a cyberattack in December 2020
when public records were taken and held for $1 million ransom and sheriff employees briefly
resorted to filing reports using pen and paper instead.
 In Wakulla County in 2019, the school district’s insurer paid a Bitcoin ransom to hackers to
bring its computers back online during the first few weeks of the 2019-2020 school year.
Colonial Pipeline and JBS are just two examples from the thousands of other reports investigated
by the IC3 in 2021. The United States is the number one target for cyberattacks with expected
increases in both cyberattacks and particularly, ransomware attacks, according to statistics from
the University of West Florida’s Center for Cybersecurity.11
National Institute for Standards and Technology Cybersecurity Framework
The National Institute for Standards and Technology (NIST) is a non-regulatory federal agency
housed within the United States Department of Commerce. The NIST is charged with providing
a prioritized, flexible, repeatable, performance-based, and cost-effective framework that helps
owners and operators of critical infrastructure identify, assess, and manage cyber risk. While the
framework was developed with critical infrastructure in mind, it can be used by organizations in
any sector of the economy or society.12 The framework is designed to complement, and not
replace, an organization’s own unique approach to cybersecurity risk management. As such,
there are a variety of ways to use the framework and the decision about how to apply it is left to
the implementing organization. For example, an organization may use its current processes and
consider the framework to identify opportunities to strengthen its cybersecurity risk
management. Overall, the framework provides an outline of best practices that helps
organizations decide where to focus resources for cybersecurity protection.13
National Cyber Incident Response Plan
The National Cyber Incident Response Plan (NCIRP) was developed according to the direction
of Presidential Policy Directive (PPD)-41,14 by the U.S. Department of Homeland Security. The
NCIRP is part of the broader National Preparedness System and establishes the strategic
framework for a whole-of-Nation approach to mitigating, responding to, and recovering from
cybersecurity incidents posing risk to critical infrastructure.15 The NCIRP is not a tactical or
operational plan; rather, it serves as the primary strategic framework for stakeholders to
understand how federal departments and agencies and other national-level partners provide
resources to support response operations. The NCIRP was developed in coordination with
11
Eman El Sheikh, Ph.D., Center for Cybersecurity, University of West Florida, Cybersecurity Education and Workforce
Development Highlights (January 17, 2020 Presentation to Florida Cybersecurity Task Force Meeting, January 17, 2020),
available at CSTF_01.17.20_Meeting_Materials.pdf (myflorida.com) (last visited Jan. 23, 2022).
12
National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, available at
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (last visited Jan. 30, 2022).
13
Id.
14
Annex for PPD-41: U.S. Cyber Incident Coordination, available at https://obamawhitehouse.archives.gov/the-press-
office/2016/07/26/annex-presidential-policy-directive-united-states-cyber-incident (last visited Feb. 18, 2022).
15
U.S. Department of Homeland Security, National Cyber Incident Response Plan (December 2016) available at
file:///C:/Users/Villa.Chris/Downloads/798128% 20(7).pdf (last visited Feb. 20, 2022).
BILL: CS/CS/SB 1670 Page 5
federal, state, local, and private sector entities and is designed to interface with industry best
practice standards for cybersecurity, including the NIST Cybersecurity Framework.
The NCIRP adopted a common schema for describing the severity of cybersecurity incidents
affecting the U.S. The schema establishes a common framework to evaluate and assess
cybersecurity incidents to ensure that all departments and agencies have a common view of the
severity of a given incident; urgency required for responding to a given incident; seniority level
necessary for coordinating response efforts; and level of investment required for response
efforts.16
Figure 1: Cybersecurity Incident Severity Schema
16
Id.
BILL: CS/CS/SB 1670 Page 6
Florida Information Protection Act of 2014
The Florida Information Protection Act of 201417 requires notice be given to affected customers
and the Department of Legal Affairs (DLA) when a breach of personal information occurs. The
notice must be provided within 30 days of the discovery of the breach or the belief that a breach
has occurred, unless law enforcement has requested a delay for investigative purposes or for
other good cause. State law requires Florida’s Attorney General to file with the Legislature,
every February 1st, a report identifying any governmental entities that have reported any breaches
of security of themselves or by any of its third-party agents in the preceding calendar year.
Additionally, the Attorney General must report on any breaches by any governmental entities
affecting more than 500 individuals in this state as expeditiously as possible, but not later than 30
days after the determination of the breach or reason to believe the breach has occurred. An
extension of up to 15 days may be granted if good cause is provided in writing to the DLA.
Enforcement authority is provided to the DLA under the Florida Deceptive and Unfair Trade
Practices Act to prosecute violations. Violators may be subject to civil penalties if a breach
notification is not provided on a timely basis, but there are not civil penalties for the timely
report of a security breach. There are exceptions for those entities that are also required to report
breaches to federal regulators.
Data Breach Reporting Within Florida Law
Florida is within the FBI’s top ten states for total number of victims reporting a data breach for
2020, falling behind only California with 53,793 victims18 and is fourth in the total amount of
victim loss reported at $295 million for 2020.19
The Attorney General’s office website posts notices and news releases relating to several multi-
state settlements because of data breaches which are listed through litigation settlements and
press releases on the site. 20
Information Technology Management
The Department of Management Services (DMS)21 oversees information technology (IT)22
governance and security for the executive branch of state government. The Florida Digital
Service (FLDS) within the DMS was established by the Legislature in 2020 to replace the
17
Ch. 2014-189, Laws of Fla. (creating s. 501.171, F.S., effective July 1, 2014; Florida Information Protection Act).
18
Supra, note 2.
19
Id. at 24.
20
Office of Attorney General Ashley Moody, In the News – News Search (search conducted January 24, 2022), available at
http://www.myfloridalegal.com/newsrel.nsf/newsreleases (last visited Jan. 24, 2022).
21
See s. 20.22, F.S.
22
The term “information technology” means equipment, hardware, software, firmware, programs, systems, networks,
infrastructure, media, and related material used to automatically, electronically, and wirelessly collect, receive, access,
transmit, display , store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control,
communicate, exchange, convert, converge, interface, switch, or disseminate information of any kind or form.
Section 282.0041(20), F.S. 12 Ch. 2020-161, Laws of Fla.
BILL: CS/CS/SB 1670 Page 7
Division of State Technology.23 The head of FLDS is appointed by the Secretary of Management
Services24 and serves as the state chief information off