FL Bill Seeks to Reduce Cyber Incident Liability For Entities That Meet Industry Standards

January 29, 2024 - Florida lawmakers have proposed new legal protections for businesses facing claims of negligence in data breach lawsuits in the recently introduced Florida House Bill No. 473.

Also known as the Cybersecurity Incident Liability Act, the bill, which was reported favorably in the Commerce Committee in late January, would provide a certain level of safe harbor for businesses that implement industry-recognized cybersecurity standards.

The bill specifically applies to local governments, certain commercial entities, and third-party agents, including healthcare organizations. The goal of the bill is to reduce the frequency and impact of cyberattacks in the state of Florida by incentivizing these entities to take actions to better protect the data in their care.

If passed, the Cybersecurity Incident Liability Act would deem an entity not liable in connection with a cybersecurity incident if the entity “substantially complies with measures to protect data containing personal information” and has adopted a cybersecurity program based on any of the following standards:

• NIST Framework for Improving Critical Infrastructure Cybersecurity
• NIST special publication 800-171
• NIST special publications 800-53 and 800-53A
• The Federal Risk and Authorization Management Program security assessment framework
• CIS Critical Security Controls
• The International Organization for Standardization/International Electrotechnical Commission 27000 – series family of standards

What’s more, if the entity is regulated by the state or federal government (like healthcare), if must align its cybersecurity program to the most current version of:

• The security requirements of the Health Insurance Portability and Accountability Act of 1996
• Title V of the Gramm-Leach-Bliley Act of 1999 as amended
• The Federal Information Security Modernization Act of 2014
•  The Health Information Technology for Economic and Clinical Health Act

Alignment or compliance with the specified standards will be evaluated on a case-by-case basis, based on the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of the information it protects.

This act would not shield organizations from all liability when it comes to data breach lawsuits. Instead, it would allow these entities to demonstrate the strength of their cybersecurity program as an affirmative defense in a lawsuit alleging negligence.

It is also important to note that the bill would not establish a private right of action. Rather, it provides that “the failure of a county, municipality, other political subdivision of the state, or commercial entity or third-party to substantially implement a cybersecurity program as specified in the bill is not evidence of negligence and does not constitute negligence per se,” House of Representatives staff analysis stated.

“Under the bill, any commercial entity or third-party agent that substantially complies with a combination of industry-recognized cybersecurity frameworks or standards, including the payment card industry data security standard, gains a presumption against liability in connection with a cybersecurity incident,” the analysis continued.

“To maintain this presumption, it must adopt revised frameworks or standards within one year after the latest publication date stated in the revisions. In an action in connection with a cybersecurity incident, if the defendant is an entity covered by the bill, the defendant holds the burden of proof to establish substantial compliance.”

The bill has been referred to the Judiciary Committee and now sits in the State Administration & Technology Appropriations Subcommittee. If passed, it could set an example for other states that are grappling with an increase in data breaches and the lawsuits that follow. As always, compliance with industry standards and regulations is an entity’s best defense against breaches.