Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Florida's Cybersecurity Incident Liability Act: What to Know About FL HB 473

Cybersecurity Assessments

NOTE: This blog was originally posted on February 27, 2024, when this bill was still in the proposal stage. As of March 13, 2024, the bill has been passed by both branches of the Florida legislature, and this content has been updated to reflect that progress.

 

In an age where cyber threats loom large and data breaches can wreak havoc on organizations of all sizes, governments are increasingly taking steps to mitigate what can be incredibly damaging liability for those entities that continue to fall victim to cybersecurity incidents—Florida being the most recent example.

The state's Senate and House recently passed a significant piece of legislation in its Cybersecurity Incident Liability Act (H.B. 473), but what would this mean for organizations that will fall under the law’s purview should it be signed into law?

As a leading cybersecurity audit and compliance firm, we’re going to delve into just that. In this blog post, we’ll detail what this act entails and what it would mean for your cybersecurity compliance so that if and when this new legislation takes effect, you understand what to do in order to fall under its protections.

 

What is Florida’s Cybersecurity Incident Liability Act?

As many organizations in recent memory unfortunately understand, the fallout from a data breach or other cybersecurity incident can be extraordinarily damaging in multi-faceted ways:

  • Financial losses
  • Reputational damage
  • Operational slowdowns/disruption
  • Lawsuits
  • Data loss

Depending on the attack, the consequences can be very difficult to recover from, hence this latest step in a purportedly business-friendly Florida legislature and its introduction of the Florida Cybersecurity Incident Liability Act (H.B 473), which would create a “safe harbor” of sorts to limit that fallout and related liabilities.

But to be entitled to that “safe harbor,” organizations would need to meet the set conditions within the law—namely, compliance with recognized frameworks:

Type of Entity

Requirements

  • Counties
  • Municipalities
  • Other political subdivisions of the state
  • Commercial entities*
  • Third-party agents

The Act provides that organizations are not liable in connection with a cybersecurity incident, but only if they substantially comply with relevant specified requirements outlined in the statute, including, but not limited to, compliance with:

* For those entities that provide services/host data related to finances or healthcare, you would need to comply with one of the above frameworks to fall under the purview of the Act, but you would also need to comply with HIPAA and/or GLBA—not as a matter of this law, but as part of your sector-required compliance.

Moreover, upon any revision of your chosen standard/framework, you would be required to adopt the updated versions within a specified timeframe to maintain your protected status.

 

Where Does Florida’s Cybersecurity Incident Liability Not Apply?

All that being said, it’s important to note that this law will not grant blanket immunity against data breach lawsuits.

It’s meant to be a solution to help businesses mitigate certain class action exposure, and so it specifically only applies to tort claims—like those citing negligence. In the end, should you wish to wield the safe harbor, you must demonstrate that your cybersecurity program complies with the law’s requirements as part of a lawsuit defense or otherwise.

 

 

What Does the Cybersecurity Incident Liability Act Mean for Cybersecurity Compliance in Florida?

So what would this all mean for organizations operating in Florida? The potential enactment of the Cybersecurity Incident Liability Act would yield five important takeaways:

  1. There’s Increased Incentive for Compliance: By offering its limited liability protections, the Act incentivizes organizations to invest in (more) robust cybersecurity measures to align their practices with established frameworks and standards.
  2. There’s a Clear Path Forward in Compliance If You Need It: Because the Act provides clear guidelines on which cybersecurity frameworks and regulations organizations could adhere to, it offers a roadmap for your next compliance efforts.
  3. You Do Have Some Flexibility in Your Cybersecurity Implementation: In acknowledgment of the diverse landscape of businesses within Florida and their wide-ranging cybersecurity needs, the Act recognizes that the scale and scope of your compliance efforts may vary based on factors such as:
    • The size of your organization;
    • The nature of your activities; and
    • The sensitivity of the information you handle.
  4. Ongoing Compliance Maintenance is Also Required: To ensure continued protection under the new law—and to ensure you maintain compliance—you must remain vigilant in keeping up with changes to your implemented cybersecurity frameworks and standards.
  5. You Still Have the Burden of Proof: In the event that you face legal action related to a cybersecurity incident, to have your liability limited by the Act, you would need to prove substantial compliance with its requirements, which underscores yet again the importance of diligently adhering to your chosen cybersecurity program’s best practices.

 

Next Steps Regarding Cybersecurity in Florida

Officially designated as s. 768.401, Florida Statutes, the Cybersecurity Incident Liability Act proposes some limitations on liability for entities affected by cybersecurity incidents. And while this new regulation has yet to be signed into law by Governor DeSantis, it does still represent a potentially significant opportunity for businesses, as well as an incentive to proactively adopt and maintain a comprehensive cybersecurity framework.

Regardless of FL HB 473, cyber threats continue to evolve and threaten disaster, and so all those operating in Florida should still take steps to assess the effectiveness of your security and privacy measures:

  • Review—and revise where necessary—existing security policies and procedures
  • Conduct risk assessments
  • Implement additional security measures to mitigate those discovered vulnerabilities
  • Create an incident response plan and train your employees on it

Effective cybersecurity is multi-faceted and must be integrated into your overall company culture, though implementing the right measures—and finding the right framework to follow—can be tricky. But if and when Florida's Cybersecurity Incident Liability Act provides even more incentive to better fortify your digital defenses, you may be in the market for a trusted partner who can help simplify your required assessment process.

If that’s the case, Schellman may be the right fit for you. We’ve been helping organizations untangle the complex landscape of cybersecurity compliance for over twenty years now, and with our expertise and subject matter experts, we can empower your business so that you achieve the enhanced cybersecurity posture and regulatory compliance you need to fall under HB 473’s protections. To learn more about us and the different frameworks we can assist you with, contact us today.

In the meantime, make sure to check out our other content that can also assist you in better protecting your organization from cyber threats:

About RYAN MACKIE

Ryan Mackie is a Managing Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.