We recently wrote about North Carolina’s new law prohibiting state agencies – including public schools and universities – from paying a ransom or even communicating with a threat actor following a ransomware incident. On June 24, Florida followed suit when Governor Ron Desantis signed HB 7055 into law, amending portions of the State Cybersecurity Act (the Act), which became effective July 1.

Among other things, the Act now requires that if a Florida state agency, county or municipality experiences a ransomware incident, it must provide notice to Florida’s Cybersecurity Operations Center[1] and the Cybercrime Office of the Department of Law Enforcement[2] (and in the case of a local government, to the sheriff with jurisdiction over that local government) within 12 hours of discovery. The report must include at least the following:

A summary of the facts surrounding the incident.