Florida Bill Seeks Safe Harbor for Organizations with Robust Cybersecurity Programs
Healthcare organizations and businesses in Florida could soon be given protection against data breach lawsuits if they implement and maintain cybersecurity measures that meet government and industry standards. The Florida Cybersecurity Incident Liability Act (H.B 473) has been introduced in the Florida legislature and aims to introduce a “safe harbor” that limits liability for all businesses that implement reasonable and appropriate cybersecurity measures that meet industry standards and cybersecurity frameworks.
Businesses can make significant investments in cybersecurity to protect their networks and sensitive data from unauthorized access, but the sophisticated nature of cyber threats means that cyberattacks may still succeed. It is now common for multiple lawsuits to be filed over data breaches that allege a failure to implement appropriate cybersecurity measures, irrespective of the cybersecurity measures that have been implemented. The Florida Cybersecurity Incident Liability Act is intended to provide businesses with a legal defense against tort claims in data breach lawsuits and encourage the adoption of security frameworks.
The Florida Cybersecurity Incident Liability Act will place limitations on liability for cybersecurity incidents. Counties, municipalities, and businesses that acquire, maintain, store, or use personal information will not be liable in connection with a cybersecurity incident provided they have adopted a cybersecurity program that substantially aligns with any standards, guidelines, or regulations that implement any of the following:
- The NIST Framework for Improving Critical Infrastructure Cybersecurity
- NIST Special Publication 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST Special Publication 800-53 and 800-53A – Security and Privacy Controls for Information Systems and Organizations / Assessing Security and Privacy Controls in Information Systems and Organizations
- The Federal Risk and Authorization Management Program 42 security assessment framework
- The Center for Internet Security (CIS) Critical Security Controls.
- The International Organization for Standardization/International Electrotechnical Commission 27000 series (ISO/IEC 27000) family of standards
There will also be limitations on liability for entities that are regulated by the state or Federal Government or that are otherwise subject to the following laws and regulations:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- The Health Insurance Portability and Accountability Act’s security requirements (45 C.F.R. part 160 and part 164 55 subparts A and C)
- The Health Information Technology for Economic and Clinical Health (HITECH) Act requirements (45 C.F.R. parts 160 and 164.)
- Title V of the Gramm-Leach-Bliley Act
- The Federal Information Security Modernization Act of 2014
The scale and scope of substantial alignment of a cybersecurity program with these laws reflect the size, complexity, and nature of the business activities, as well as the sensitivity of the personal information collected and stored, the availability and cost of security improvement tools, and the available resources for cybersecurity. In data breach lawsuits, the defendant will have the burden of proof to establish substantial compliance with these laws, cybersecurity frameworks, and standards.
