A Path to Data Breach Immunity for Florida Companies Reaches Governor’s Desk

In the ever-changing landscape of data privacy law, Florida is one step closer to establishing immunity for businesses that suffer data breaches. The Florida Legislature recently passed Florida’s Cybersecurity Incident Liability Act, HB 473, which can provide immunity from civil liability to companies that have suffered a data breach if they meet certain conditions. The bill is expected to be signed by Governor Ron DeSantis and become law in the coming weeks.

In response to the flood of data breach litigation over the last few years, there has been a recent trend in some states to enact laws that provide limited protections for companies facing data breach claims. But Florida’s HB 473 goes a bit further than most other states’ laws.

Under HB 473, immunity is provided for both a covered entity and its third-party agent. A covered entity or third-party agent will not be liable in connection with a cybersecurity incident if it meets the following three criteria.

First, it must “substantially comply” with Fla. Stat. § 501.171(3)-(6), the Florida Information Protection Act (FIPA). Under FIPA, a covered entity must provide notice to Florida’s Department of Legal Affairs for any breach of security that affects 500 or more individuals in Florida, “as expeditiously as practicable” but no later than 30 days after the breach. FIPA also contains other technical requirements for information entities must include in the notice and provide to the department when requested.

Second, the covered entity must adopt a cybersecurity program that “substantially aligns” with the current standards, guidelines or regulations of various frameworks, including:

• • The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity
  • NIST special publication 800-171
  • NIST special publications 800-53 and 800-53A
  • The Federal Risk and Authorization Management Program security assessment framework
  • The Center for Internet Security (CIS) Critical Security Controls
  • The International Organization for Standardization/International Electrotechnical Commission 27000-series (ISO/IEC 27000) family of standards
  • HITRUST Common Security Framework (CSF)
  • Service Organization Control Type 2 (SOC 2) Framework
  • Secure Controls Framework

If the covered entity is regulated by the state or federal government (or both), it may also take advantage of immunity if it has adopted a cybersecurity program that “substantially aligns” with the current version of the following laws:

• • The Health Insurance Portability and Accountability Act of 1996 security requirements in 45 C.F.R. part 160 and part 164 subparts A and C
  • Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, as amended
  • The Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283
  • The Health Information Technology for Economic and Clinical Health Act requirements in 45 C.F.R. parts 160 and 164
  • The Criminal Justice Information Services (CJIS) Security Policy
  • Other similar requirements mandated by state or federal law or regulation

A covered entity may demonstrate substantial alignment with any of these frameworks by providing documentation or other evidence of an assessment, whether conducted internally or by a third party, reflecting that the covered entity’s cybersecurity program is substantially aligned.

Third, to maintain immunity, a covered entity must ensure that its cybersecurity program substantially aligns with any revisions of relevant frameworks within one year after revisions are made.

Once signed by Governor DeSantis, the law will take effect immediately. Importantly, it will apply to any lawsuit filed on or after the date of signing as well as to any pending class action in which class certification has not yet occurred.

HB 473 is a promising piece of legislation for companies dealing with personal data and operating in Florida. It provides a relatively clear roadmap on how companies should structure and implement their cybersecurity programs to take full advantage of the immunity being offered. The exact scope and reach of that immunity, though, will likely have to come from Florida courts as they consider what constitutes “substantial compliance” or “substantial alignment.” It is also worth noting that HB 473 likely only applies in Florida. Companies should be mindful of compliance with other states’ data privacy laws. But at least in Florida, a path to immunity from data breach lawsuits seems to have emerged.

Contact Chris Bach or any member of Phelps’ Cybersecurity, Privacy and Data Protection team if you have questions or need compliance advice and guidance.