Florida Governor Vetoes Cybersecurity “Safe Harbor” Bill

Florida Governor Ron DeSantis today vetoed a bill that would have extended “safe harbor” from data breach litigation to businesses compliant with certain industry-recognized cybersecurity standards.

The governor said HB 473 would “result in Floridians’ data being less secure as the bill provides across-the-board protections for only substantially complying with standards. This incentivizes doing the minimum when protecting consumer data.’’

The governor said the bill, as passed, “may result in a consumer having inadequate recourse if a breach occurs.’’

DeSantis encouraged the Legislature to come up with an alternative bill that provides “a level of liability protection while also ensuring critical data and operations against cyberattacks are protected as much as possible …”

The bill would have had a major impact on government and businesses, offering them safe harbor from expensive litigation, if they “substantially” implemented security measures considered as best practices within the industry. The bill passed the House on an 81-28 vote on March 1 and the Senate on a 32-8 vote on March 5.

Advocates of the bill said it would incentivize local governments, businesses, and third-party agents that maintain sensitive data to voluntarily comply with industry-recognized cybersecurity frameworks such as those developed by the National Institute for Standards and Technology (NIST) and the Center for Internet Security (CIS) Critical Security Controls.