Florida Legislature Passes Bill Providing Companies with Immunity from Data Breach Lawsuits
Companies in Florida may soon be immune from lawsuits if they suffer data breaches provided that prior to the cybersecurity incident, they have been maintaining a cybersecurity program that substantially aligns with industry standards, cybersecurity frameworks such as the NIST CSF, or a state or federal law such as HIPAA, and they comply with Florida’s data breach notification law. The cybersecurity incident liability bill – House Bill 473 – was recently passed by the Florida legislature and now heads to the state governor’s desk for his signature. Governor Ron DeSantis is expected to sign the bill into law.
Currently, healthcare organizations in the state of Florida have a degree of immunity from regulatory sanctions and penalties if they can demonstrate that they have implemented recognized security practices that have been continuously in place for the 12 months prior to a data breach, following a 2021 amendment to the HITECH Act. When determining appropriate penalties in its enforcement activities, the HHS’ Office for Civil Rights will consider the recognized security practices that have been in place and will reduce the penalties accordingly. There are no provisions in HITECH or HIPAA that provide immunity from or limit liability in class action data breach lawsuits.
Any significant healthcare data breach is likely to see one – or most likely several – class action data breach lawsuits filed for exposing sensitive data, and the cost of defending against those lawsuits and paying settlements is considerable. If lawsuits are likely to be filed following any data breach regardless of the cybersecurity measures that have been implemented, then businesses may simply accept the risk and fail to invest appropriately in cybersecurity.
The aim of the bill is to incentivize organizations to invest in security and implement cybersecurity measures to protect the personal data they collect and store as it is in their best interests to do so. The bill goes a step further than similar laws that have been enacted in Ohio, Utah, and Connecticut, where companies that implement appropriate security measures have limited protection against class action data breach lawsuits. In Florida, companies will be provided with immunity from more types of claims and there are no carve-outs for failing to address known threats, and immunity is not conditioned on compliance with a cybersecurity program. Should the bill be signed into law it will be effective immediately.
While the law will undoubtedly be good for businesses, the benefits to consumers are questionable. If the law does have the intended effect and companies invest in cybersecurity as a result, Florida residents will be less likely to have their data compromised. However, in the event of a data breach, consumers will have to cover the cost of protecting themselves against identity theft and fraud and will incur out-of-pocket expenses, as well as costs if they do fall victim to identity theft and fraud if they cannot recover those costs by other means.
