Florida Enacts Law Prohibiting State Agencies from Paying Cyber Ransoms
Time 2 Minute Read
Categories: Cybersecurity, Information Security, U.S. State Law

On July 1, 2022, amendments to Florida’s State Cybersecurity Act (the “Act”) took effect, imposing certain ransomware reporting obligations on state agencies, counties and municipalities and prohibiting those entities from paying cyber ransoms.

The amendments, enacted as HB 7055, require state agencies and local governments to report ransomware incidents to the state’s Cybersecurity Operations Center (“CSOC”), the Cybercrime Office of the Department of Law Enforcement and local sheriff no later than 12 hours after discovery. The Act previously required reporting of certain cybersecurity incidents affecting state agencies, and the amendments expressly add ransomware to the relevant reporting obligations. Reports to the state CSOC must include, at a minimum, the following details:

  • a factual summary of the incident;
  • the date on which the affected agency or local government most recently backed up its data, the physical location of that backup, whether the backup was affected, and whether the backup was cloud-based;
  • the types of data compromised by the incident; 
  • the estimated fiscal impact of the incident; and
  • details of the ransom demanded, if any.

The amendments also impose a severity classification scheme for security incidents, with severity levels ranging one to five, based on the Department of Homeland Security’s National Cyber Incident Response Plan. The Act defines “incident” broadly as “a violation or imminent threat of violation, whether . . . accidental or deliberate, of information technology resources, security, policies, or practices.” In addition to the 12-hour reporting obligation for ransomware incidents, if a state agency discovers that it has experienced another type of incident at level three or greater, it must also notify Florida’s CSOC and the Cyber Crime Office within 48 hours.  

Additionally, the amended Act prohibits state agencies, counties and municipalities from paying or otherwise complying with a ransom demand. 

We previously blogged about a similar law in North Carolina, enacted in April 2022, that likewise prohibits state government entities from paying cyber ransoms.

Tags: Cyber Attack, Department of Homeland Security, Florida, Ransomware
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 1 Minute Read
FTC Issues Second Report to Congress on Cyberattacks

On February 6, 2026, the Federal Trade Commission announced its second report to Congress on its efforts to combat ransomware and other cyber attacks.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
Congress Extends Cybersecurity Information Sharing Act of 2015 through September 2026

Congress has extended the Cybersecurity Information Sharing Act of 2015 through September 30, 2026 as part of the Consolidated Appropriations Act, a government funding package enacted in early February 2026.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 7 Minute Read
Navigating Turbulent Waters Ashore: Insurance Lessons from a Navy Project Dispute
By and

As we ring in the New Year, one thing remains the same: understanding the definitions and conditions in your insurance policy is critical. In a recent decision, a Florida federal court in Ohio Security Insurance Co. v. E Kelly Enterprises Inc. et al., No. 3:22-cv-24754, held that an insurer had no duty to defend or indemnify a general contractor and no duty to indemnify a subcontractor for damages from defective work on a naval base, based on the policy’s definition of “suit,” “property damage,” and allocation requirements. The decision highlights the importance of numerous issues in the context of commercial general liability policies, including the nuances of policy definitions, obtaining insurer consent when necessary, and allocation between covered and uncovered claims.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
SEC Dismisses Remainder of SolarWinds Case

On November 20, 2025, the U.S. Securities and Exchange Commission issued a brief announcement that it filed a joint stipulation with defendants SolarWinds Corporation and its Chief Information Security Officer to dismiss, with prejudice, the SEC’s ongoing civil enforcement action against them.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page