Listen to this post

A recently introduced bill in the Florida Legislature would provide businesses operating in Florida, including health care providers, with a legal defense to data breach lawsuits if they maintain robust cybersecurity measures that meet government- and industry-recognized standards. Specifically, Florida House Bill No. 473 (H.B. 473), known as the Cybersecurity Incident Liability Act, was introduced and reported favorably in the Commerce Committee on Jan. 23, 2024, to provide a much-needed safe harbor from liability for businesses that implement sensible, industry-recognized cybersecurity measures. This act aims to incentivize businesses to achieve a higher level of cybersecurity by maintaining a cybersecurity program that substantially complies with industry-recommended frameworks.

Businesses that achieve substantial compliance with recognized frameworks outlined in H.B. 473 would be entitled to a “legal safe harbor,” which could be used as an affirmative defense against tort claims arising from data breaches linked to alleged failures to adopt reasonable cybersecurity measures.

Alexis Buese, a key member of Bradley’s Class Action Litigation team based in Tampa, played a pivotal role in introducing the bill by providing crucial testimony on behalf of the health care industry in favor of H.B. 473 before the Commerce Committee. Bradley has consistently been at the forefront of advocating for innovative solutions that empower businesses to mitigate unnecessary class action exposure. With H.B. 473, the approach to liability becomes proactive, encouraging businesses to enhance their cybersecurity practices while offering incentives for upscaling their security measures.

Safe Harbor Details

H.B. 473’s “safe harbor” does not grant blanket immunity to a business facing a data breach lawsuit. Rather, it specifically applies only to tort claims, such as negligence, and businesses seeking to utilize the safe harbor must plead it as an affirmative defense in a lawsuit and demonstrate that their cybersecurity program complies with the law’s requirements. Importantly, the safe harbor does not extend to contract-based claims arising from disputes with vendors or customers involving contractual relationships.

It’s important to note that H.B. 473 does not establish a minimum cybersecurity standard that businesses must achieve. Instead, it encourages businesses to adopt and maintain cybersecurity programs in substantial compliance with industry-recognized frameworks without imposing liability on those that do not.  The frameworks recognized by H.B. 473 include the following:

  • The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity
  • NIST special publication 800-171
  • NIST special publication 800-53 and 800-53a
  • The Federal Risk and Authorization Management Program security assessment framework
  • The Center for Internet Security (CIS) Critical Security Controls
  • The International Organization for Standardization/International Electrotechnical Commission 27000- series (ISO/IEC 27000) family of standards

Additionally, H.B. 473 also considers cybersecurity programs substantially aligned with federal requirements, including the following:

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) security requirements in 45 CFR part 160 and part 164, subparts A and C
  • The Health Information Technology for Economic and Clinical Health Act requirements in 45 CFR parts 160 and 164
  • Gramm-Leach-Bliley
  • The Federal Information Security Modernization Act of 2014

Notably, H.B. 473 takes a flexible approach to cybersecurity, considering various business-specific factors in determining the necessary scale and scope of a cybersecurity program to determine substantial alignment with standards recognized in the bill. These factors include the size, complexity, and nature of the business and its activities, the sensitivity of the personal information it holds, the availability and cost of security improvement tools, and the resources available for cybersecurity efforts.

What Does This Mean for Companies in Florida?

While H.B. 473 is not yet law, it signifies a positive step forward in recognizing and rewarding businesses that proactively adopt and maintain robust cybersecurity programs. As we move into the future, companies of all types and sizes, across various industries in Florida, should take the opportunity to assess the confidentiality, proprietary nature, personal data, or other sensitive information they hold. It is crucial to review and evaluate the effectiveness of your privacy and security measures. This evaluation should encompass the organization’s overall culture concerning privacy and security, ensuring that both the leadership and employees are adequately focused on these critical issues.

Furthermore, businesses should conduct thorough risk assessments to identify vulnerabilities and areas at risk, implement additional security measures to mitigate these risks, review and enhance existing policies and procedures, establish a tested incident response plan, and update employee training to address the latest cyber threats. This proactive approach to cybersecurity aligns with the objectives of H.B. 473 and can help businesses in Florida stay ahead in safeguarding their data and operations. If you have any questions about H.B. 473 or data privacy and cybersecurity matters generally, please contact Alexis Buese or Eric Setterlund.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Alexis M. Buese Alexis M. Buese

Alexis Buese’s practice involves all aspects of commercial litigation, with an emphasis on class action, contract disputes, and real estate and consumer class action litigation. She has broadly defended the consumer products and services industries against the expanding array of class actions that…

Alexis Buese’s practice involves all aspects of commercial litigation, with an emphasis on class action, contract disputes, and real estate and consumer class action litigation. She has broadly defended the consumer products and services industries against the expanding array of class actions that challenge their products, methodologies, and procedures. Her clients include numerous consumer goods manufacturers and retailers, including apparel, furniture, food, vitamin and dietary supplement companies, and e-commerce companies. Alexis regularly represents clients in telemarketing litigation brought under the Telephone Consumer Protection Act (TCPA), Florida Telephone Solicitation Act (FTSA), and other state telemarketing and consumer protection laws, and she frequently writes and speaks on telemarketing compliance.

Photo of Eric Setterlund Eric Setterlund

Eric Setterlund serves as counsel in Bradley’s Healthcare and Cybersecurity and Privacy practice groups. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and…

Eric Setterlund serves as counsel in Bradley’s Healthcare and Cybersecurity and Privacy practice groups. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and data counsel for BlueCross BlueShield of Tennessee. He draws upon his real-world business and program management experience to provide his clients practical advice for complex regulatory and transactional matters.