The US State of Florida has adopted a Law that prohibits State Agencies to pay for ransomware and requires them to report incidents to the State’s Cybersecurity Operations Center (“CSOC”), the Cybercrime Office of the Department of Law Enforcement and local sheriff within 12 hours from the discovery. The Act previously required reporting of certain cybersecurity incidents affecting state agencies, and the amendments expressly add ransomware to the relevant reporting obligations. The Law also imposes a severity classification scheme for security incidents which is based on the Department of Homeland Security’s National Cyber Incident Response Plan. Find the Law here.