A recently introduced bill in the Florida Legislature would provide businesses operating in Florida, including health care providers, with a legal defense to data breach lawsuits if they maintain robust cybersecurity measures that meet government- and industry-recognized standards. Specifically, Florida House Bill No. 473 (H.B. 473), known as the Cybersecurity Incident Liability Act, was introduced and reported favorably in the Commerce Committee on Jan. 23, 2024, to provide a much-needed safe harbor from liability for businesses that implement sensible, industry-recognized cybersecurity measures. This act aims to incentivize businesses to achieve a higher level of cybersecurity by maintaining a cybersecurity program that substantially complies with industry-recommended frameworks.

Businesses that achieve substantial compliance with recognized frameworks outlined in H.B. 473 would be entitled to a “legal safe harbor,” which could be used as an affirmative defense against tort claims arising from data breaches linked to alleged failures to adopt reasonable cybersecurity measures.

Alexis Buese, a key member of Bradley’s Class Action Litigation team based in Tampa, played a pivotal role in introducing the bill by providing crucial testimony on behalf of the health care industry in favor of H.B. 473 before the Commerce Committee. Bradley has consistently been at the forefront of advocating for innovative solutions that empower businesses to mitigate unnecessary class action exposure. With H.B. 473, the approach to liability becomes proactive, encouraging businesses to enhance their cybersecurity practices while offering incentives for upscaling their security measures.

Safe Harbor Details

H.B. 473’s “safe harbor” does not grant blanket immunity to a business facing a data breach lawsuit. Rather, it specifically applies only to tort claims, such as negligence, and businesses seeking to utilize the safe harbor must plead it as an affirmative defense in a lawsuit and demonstrate that their cybersecurity program complies with the law’s requirements. Importantly, the safe harbor does not extend to contract-based claims arising from disputes with vendors or customers involving contractual relationships.

It’s important to note that H.B. 473 does not establish a minimum cybersecurity standard that businesses must achieve. Instead, it encourages businesses to adopt and maintain cybersecurity programs in substantial compliance with industry-recognized frameworks without imposing liability on those that do not.  The frameworks recognized by H.B. 473 include the following:

• The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity
• NIST special publication 800-171
• NIST special publication 800-53 and 800-53a
• The Federal Risk and Authorization Management Program security assessment framework
• The Center for Internet Security (CIS) Critical Security Controls
• The International Organization for Standardization/International Electrotechnical Commission 27000- series (ISO/IEC 27000) family of standards

Additionally, H.B. 473 also considers cybersecurity programs substantially aligned with federal requirements, including the following:

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) security requirements in 45 CFR part 160 and part 164, subparts A and C
• The Health Information Technology for Economic and Clinical Health Act requirements in 45 CFR parts 160 and 164
• Gramm-Leach-Bliley
• The Federal Information Security Modernization Act of 2014

Notably, H.B. 473 takes a flexible approach to cybersecurity, considering various business-specific factors in determining the necessary scale and scope of a cybersecurity program to determine substantial alignment with standards recognized in the bill. These factors include the size, complexity, and nature of the business and its activities, the sensitivity of the personal information it holds, the availability and cost of security improvement tools, and the resources available for cybersecurity efforts.

What Does This Mean for Companies in Florida?

While H.B. 473 is not yet law, it signifies a positive step forward in recognizing and rewarding businesses that proactively adopt and maintain robust cybersecurity programs. As we move into the future, companies of all types and sizes, across various industries in Florida, should take the opportunity to assess the confidentiality, proprietary nature, personal data, or other sensitive information they hold. It is crucial to review and evaluate the effectiveness of your privacy and security measures. This evaluation should encompass the organization’s overall culture concerning privacy and security, ensuring that both the leadership and employees are adequately focused on these critical issues.

Furthermore, businesses should conduct thorough risk assessments to identify vulnerabilities and areas at risk, implement additional security measures to mitigate these risks, review and enhance existing policies and procedures, establish a tested incident response plan, and update employee training to address the latest cyber threats. This proactive approach to cybersecurity aligns with the objectives of H.B. 473 and can help businesses in Florida stay ahead in safeguarding their data and operations.