The Florida Legislature recently passed a law that gives companies protection against claims arising from “cybersecurity incidents” that result in data breaches, as long as the companies meet several important obligations. The bill is expected to be signed by Governor DeSantis in the coming weeks and take effect immediately. What are three things Florida businesses should know about this new law and three things they should do to get the protection this new law provides?
3 things businesses need to do to protect against data breaches
HB 473, passed by Congress on March 5, states that a company “will not be held liable in connection with a cybersecurity incident” if it generally meets three obligations:
- First, the company must be in “substantial compliance” with the Florida Information Protection Act (FIPA). This law requires businesses to notify the Florida Department of Attorney's Office whenever a security breach occurs in Florida that affects more than 500 individuals. FIPA also has other technical requirements that companies must follow.
- Second, companies must adopt a cybersecurity program that is “substantially consistent” with the current version of the standards, guidelines, or regulations listed in the statute. These include:
- National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, or NIST Special Publications 800-171 or 800-53 and 800-53a.
- Federal Risk and Authorization Management Program Security Assessment Framework.
- Critical security controls for the Center for Internet Security (CIS).
- International Organization for Standardization/International Electrotechnical Commission 27000 Series (ISO/IEC 27000) family of standards.or
- Other similar industry frameworks or standards.
or a cybersecurity program that substantially complies with applicable law, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, or other similar federal or state law. May be compliant.
- Third, companies must update their cybersecurity programs to be “substantially consistent” with changes in applicable industry standards/frameworks or laws within one year.
3 things you need to know about the law
1. Florida's new law expands on trends established in other states
The bill aligns with other states that have passed similar laws establishing protections from data breach lawsuits by requiring companies to strengthen data security protocols and practices. In particular, Florida's law is likely more expansive than laws passed in other states in that it does not condition immunity on actual cybersecurity compliance.
2. Immunization qualifications are wide-ranging.
HB 473 does not establish any minimum cybersecurity standards that businesses must achieve. Under the new law, companies must adopt a cybersecurity program that is “substantially compliant” with consumer reporting notification requirements and indicate that they will update their cybersecurity program to be “substantially consistent” with industry standards. If you meet your obligations, you are probably entitled to immunity.
In particular, the law takes a flexible approach to cybersecurity. It states that a number of business-specific factors need to be considered, including the size, complexity and nature of the business and its activities, and the sensitivity of the personal information being protected.
3. The scope of the exemption must be determined by a Florida court.
The law imposes an obligation on companies to demonstrate that they have achieved “substantial compliance” in order to receive the law's protections. However, it does not specify which laws would be immunized by such protections. As a result, the scope of the exemption is expected to be litigated and ultimately determined in Florida state court.
Given the broad language of this statute, it may be used as an affirmative defense to claims under Florida's common law and statutes. However, claims for breach of contract or claims brought under federal law pursuant to industry-specific federal rules and regulations would likely fall outside the bill's scope.
3 things businesses should do
- must take proactive efforts First, assess what personal and sensitive data you hold. You can then assess your cybersecurity measures to identify and address vulnerabilities.
- you also need to cooperate data privacy advisor To help our organization comply with the law.
- This law should not be considered a complete magic shield, as it is likely not sufficient to provide immunity from alleged violations of laws in other states, including data breach notification laws in other jurisdictions. .you should Review applicable agreements with vendors and other third parties Ensure you have properly assessed the potential risks associated with cybersecurity incidents.
