On March 5, 2024, the Florida Legislature passed House Bill 473, introducing a new law that protects certain businesses from liability arising from cybersecurity incidents. Once enacted, the protection against liability arising from data breaches will be codified as Section 768.401 in the Florida Statutes.
Type of Business Protected
Businesses that meet the definition of “covered entities” or “third-party agents” qualify for protection subject to satisfying the statutory requirements (outlined further below).
“Covered entities” is defined as businesses that acquire, maintain, store, process, or use personal information, including sole proprietorships, partnerships, corporations, trusts, estates, cooperatives, associations, and other commercial entities.
“Third-party agents” is defined as entities contracted by covered entities to maintain, store, or process personal information on their behalf.
Requirements for Liability Protection
To qualify for liability protection arising from a cybersecurity incident, covered entities and third-party agents must meet the following requirements:
1. Substantial compliance with Florida's data breach notification requirements outlined in Section 501.171, subsection (3)-(6) of the Florida Statutes.
2. Adoption of a cybersecurity program that substantially aligns with one or more of the following industry standards, guidelines, or regulations:
- NIST Cybersecurity Framework
- NIST Special Publications 800-171, 800-53, and 800-53A
- The Federal Risk And Authorization Management Program Security Assessment Framework
- CIS Critical Security Controls
- ISO/IEC 27000 Family of Standards
- HITRUST Common Security Framework (CSF)
- SOC 2 Framework
- Other similar industry frameworks or standards
- Relevant state or federal regulations (e.g., HIPAA, GLBA, HITECH Act, CJIS Security Policy)
Covered entities and third-party agents can demonstrate substantial alignment with the chosen framework or regulation by providing internal or third-party assessment documentation. It’s important to bear in mind that cybersecurity programs must be updated within 1 year of revisions to the relevant industry standards, guidelines, or regulations to be able to maintain the liability protection afforded by this new law.
Substantial Alignment Meaning
A cybersecurity program does not need to achieve perfect compliance with the relevant standards, guidelines, or regulations outlined in the statute. Instead, the expectation is for the program to substantially conform to those requirements. In this respect, the assessment of whether a cybersecurity program meets the “substantial alignment” requirement will take the following three factors into account:
1. The size and complexity of the business;
2. The nature and scope of activities performed by the business; and,
3. The level of sensitivity of the information to be protected.
Three Additional Key Points
Florida's cybersecurity liability protection law does not establish a private cause of action. This means individuals cannot use this law as a basis to sue companies.
Also, where a business fails to meet the “substantial alignment” requirement, that failure cannot be used as evidence to claim negligence and that failure will not constitute negligence per se.
Lastly, the cybersecurity liability protection afforded under this pending law will only apply to claims filed on or after the law’s effective date.
The information provided here is for general informational purposes only and not intended as legal advice or opinion for any individual matter. Changes in laws or regulations may occur in the future and this content may not be the most up-to-date legal or other information. You should consult your own attorney for any legal advice you may require.
If you do not have an attorney and would like to explore how Venus Caruso can assist you, you can contact Venus by using the website’s contact form or by emailing her at venus@carusolawoffice.com.