‘Safe Harbor” Against Breach Suits to Organizations with Recognized Cybersecurity Regulation Programs
By Saili Hernandez, ERMProtect
This is one in a series of articles by ERMProtect tracking key changes in cybersecurity regulations, standards, and laws that could impact our clients and prospective clients.
A bill passed by the Florida Legislature on March 5 would give Florida governments, businesses, and third-party agents protection against liability claims resulting from data breaches, provided they comply with certain industry-recognized cybersecurity regulation measures.
If signed by the governor, the bill would have a major impact on government and businesses such as banks, hospitals, and other breach-prone businesses, offering them safe harbor from expensive litigation. The bill, HB 473, passed the House on an 81-28 vote on March 1 and the Senate on a 32-8 vote on March 5, shortly before the legislative session shut down for the year.
In essence, the act incentivizes local governments, businesses, or third-party agents to voluntarily comply with industry-recognized cybersecurity frameworks, such as those developed by the National Institute for Standards and Technology (NIST) and The Center for Internet Security (CIS) Critical Security Controls.
While H.B. 473 is not law yet, local governments and businesses should take proactive measures now to implement a robust cybersecurity program to enjoy potential immunity in the case of a cyberattack.
Bill Follows Spate of Attacks
This bill comes hot off the heels of several cyberattacks against Florida state systems and businesses.
- On September 14, 2023, Fort Lauderdale made a $1.2 million payment to scammers in a phishing attack. The perpetrator pretended to be Moss Construction in an e-mail requesting an ACH payment for a new police headquarters building.
- On January 29, 2024, Jacksonville Beach suffered a cyberattack that forced city services to shut down.
- Last October, outpatient radiology and oncology clinic Akumin suffered a catastrophic ransomware attack that forced all the company’s clinics in Florida to shut down.
- In November 2023, Fidelity National Financial, a Florida-based real estate title insurance provider, suffered an attack by the Russian hacker group BlackCat that compromised the personal information of 1.3 million customers.
Liability Protections for Local Governments
Local governments, in particular, are becoming an attractive target for hackers because budget constraints sometimes impact their ability to adequately protect confidential data. Sponsors of the proposed bill hope it will reduce the frequency of these cyberattacks by providing an incentive for local governments to meet strict cybersecurity regulation standards.
Specifically, the bill would provide local governments with protection from tort claims arising from data breaches so long as they have substantially complied with the cybersecurity measures of F.S. § 282.3185 (“Local Government Cybersecurity”). Generally, the Local Government Cybersecurity law requires local governments to comply with cybersecurity standards that safeguard data and ensure its availability, confidentiality, and integrity. The standards must be consistent with generally accepted best practices for cybersecurity, including the NIST cybersecurity framework.
Businesses Incentivized to Adopt Standards
Businesses and third-party agents have different standards to meet in order to enjoy immunity under the proposed bill. A business and third-party agent must first substantially comply with the notice protocols required under F.S. § 501.171(3)-(6), which generally require businesses to report breaches to the state, affected consumers, and credit reporting agencies. Additionally, they must maintain a robust cybersecurity program that includes compliance with recognized frameworks such as:
- NIST Framework for Improving Critical Infrastructure Cybersecurity
- NIST special publication 800-171
- NIST special publications 800-53 and 800-53A
- The Federal Risk and Authorization Management Program security assessment framework
- The Center for Internet Security (CIS) Critical Security Controls
- The International Organization for Standardization/International Electrotechnical Commission 27000-series (ISO/IEC 2700) family of standards
- HITRUST Common Security Framework (CSF)
- Service Organization Control Type 2 (SOC 2) Framework
- Secure Controls Framework, or
- Other Similar Industry Frameworks or Standards.
Additionally, a business would be eligible for protection if it is regulated by the federal government and adopts a cybersecurity regulation program that substantially aligns with the requirements of the federal regulation. The laws include:
- Security requirements of HIPAA
- Title V of GLBA
- Federal Information Security Modernization Act of 2014
- Health Information Technology for Economic and Clinical Health Act
- Criminal Justice Information Services Security Policy, or
- Other similar requirements mandated by state or federal law.
The bill takes into consideration several factors when determining if a business or third-party agent is “substantially aligned” with the standards recognized by the bill. The factors include:
- The size and complexity of the business
- The nature and scope of the activities of the business, and
- The sensitivity of the information to be protected.
Safe Harbor Only Extends to Tort Claims
This flexible approach means that businesses will have different interpretations of what substantial alignment means, taking into consideration their business-specific needs.
The proposed law, filed on November 15, 2023, by House Representative Mike Giallombardo, applies only to tort claims, such as negligence. A business, local government, or third-party agent faced with a lawsuit must plead the protection as an affirmative defense.
It is important to note that H.B. 473 does not establish a private cause of action for individuals to sue under. Instead, the proposed bill works as a shield for local governments, businesses, or third-party agents that comply with the cybersecurity frameworks recognized in the bill.
Furthermore, the failure of a local government, business, or third-party agent to substantially implement a cybersecurity program is not evidence of negligence and does not constitute negligence per se. This means that local governments, businesses, or third-party agents are not automatically liable for negligence for failure to implement a program outlined by H.B. 473.
No Minimum Standards Yet
It is important to note that the proposed bill does not establish minimum cybersecurity standards that all Florida entities must meet. However, it rewards those local governments and businesses that implement the recognized frameworks by extending safe harbor. Failure to comply with HB 473 is not proof of negligence, however, entities involved in a breach would not enjoy the safe harbor provisions of the bill. Lastly, the bill provides that an entity involved in a security incident has the burden of proof to establish substantial compliance.
ERMProtect Can Help
For 26 years, ERMProtect has provided more than 400 organizations in 30+ industry verticals with cybersecurity regulation services and independent assessments of their compliance with measures mentioned in this article. We perform gap assessments and audits related to all of the major frameworks, regulations, and laws related to privacy and security. For more information, contact Silka Gonzalez at [email protected] or Judy Miller at [email protected] or call 305-447-6760.
Ms. Hernandez is a third-year law student at Stetson University College of Law. She is a judicial intern in the U.S. District Court of the Middle District of Florida. She is the author of Applying International Law to Cross-Border Cyber Attacks Sponsored by State Actors, 3.2 Stetson Bus. L. Rev. (forthcoming 2025).
DISCLAIMER: This article was not prepared by a licensed attorney. This article is not intended to and does not constitute legal advice. Please seek independent legal counsel if you are trying to comply with these regulations.
Subscribe to Our Weekly Newsleter
Intelligence and Insights