thePoSSiBilitYoFdataBreachimmunitYinFlorida
Technology Section Chairs : JohnMullen – PhelpsDunbarLLP & KurtSanger – BuchananIngersoll & RooneyPC
hB473isapromising pieceoflegislationfor companiesdealingwith personaldataand operatinginFlorida .
In the ever-changing landscape of data privacy law , Florida is one step closer to establishing immunity for businesses that suffer data breaches . The Florida Legislature recently passed Florida ’ s Cybersecurity Incident Liability Act , HB 473 , which can provide immunity from civil liability to companies that have suffered a data breach if they meet certain conditions . The bill is expected to be signed by Governor Ron DeSantis .
Under HB 473 , immunity is provided for both a covered entity and its third-party agent . A covered entity or third-party agent will not be liable in connection with a cybersecurity incident if it meets the following three criteria .
First , it must “ substantially comply ” with Fla . Stat . § 501.171 ( 3 ) -( 6 ), the Florida Information Protection Act ( FIPA ). Under FIPA , a covered entity must provide notice to Florida ’ s Department of Legal Affairs for any breach of security that affects 500 or more individuals in Florida , “ as expeditiously as practicable ” but no later than 30 days after the breach . FIPA also contains other technical requirements for information that entities must
include in the notice and provide to the department when requested .
Second , the covered entity must adopt a cybersecurity program that “ substantially aligns ” with the current standards , guidelines , or regulations of various , enumerated frameworks .
If the covered entity is regulated by the state or federal government ( or both ), it may also take advantage of immunity if it has adopted a cybersecurity program that “ substantially aligns ” with the current version of certain , delineated laws , such as the Health Insurance Portability and Accountability Act of 1996 security requirements in 45 C . F . R . part 160 and part 164 subparts A and C .
A covered entity may demonstrate substantial alignment with any of these frameworks by providing documentation or other evidence of an assessment , whether conducted internally or by a third party , reflecting that the covered entity ’ s cybersecurity program is substantially aligned .
Third , to maintain immunity , a covered entity must ensure that its cybersecurity program substantially aligns with any revisions of relevant frameworks within one year after revisions are made .
If signed by Governor DeSantis , the law will take effect immediately . Importantly , it will apply to any lawsuit filed on or after the date of signing as well as to any pending class action in which class certification has not yet occurred .
HB 473 is a promising piece of legislation for companies dealing with personal data and operating in Florida . It provides a relatively clear roadmap on how companies should structure and implement their cybersecurity programs to take full advantage of the immunity being offered . The exact scope and reach of that immunity , though , will likely have to come from Florida courts as they consider what constitutes “ substantial compliance ” or “ substantial alignment .” It is also worth noting that HB 473 likely only applies in Florida . Companies should be mindful of compliance with other states ’ data privacy laws . But at least in Florida , a path to immunity from data breach lawsuits appears to have emerged . n
Author : Chris Bach – Phelps Dunbar LLP
save the Date ! Hcba Welcome back reception , sept . 19 , the vault .
5 4 J U l - A U g 2 0 2 4 | H C B A l A W Y E R