BacktothedrawingBoardwithdataBreachiMMunity
Technology Section Chairs : JasonPill – PhelpsDunbar & KurtSanger – BuchananIngersoll & Rooney
inasomewhat surprisingturn ofevents , governordeSantis vetoedhB473 .
In response to the flood of data breach litigation over the last few years , there has been a recent trend in some states to enact laws providing limited protections for companies facing data breach claims . Florida was one step away from being a leader in that trend and advancing the protections offered to those companies . Earlier this year , the Florida Legislature passed Florida ’ s Cybersecurity Incident Liability Act , HB 473 , which would have provided immunity from civil liability to companies that suffered a data breach if they met certain conditions . In a somewhat surprising turn of events , however , Governor DeSantis vetoed that legislation .
To better understand his veto , it is important to understand what HB 473 would have done . Under HB 473 , a covered entity or thirdparty agent would not be liable in connection with a cybersecurity incident if it met three criteria . First , it would have had to “ substantially comply ” with Fla . Stat . § 501.171 ( 3 ) - ( 6 ), the Florida Information Protection Act ( FIPA ), including the notice provisions under that statute .
Second , the covered entity would have had to adopt a cybersecurity program that “ substantially aligns ” with the current standards , guidelines or regulations of various , enumerated frameworks .
Third , to maintain immunity , a covered entity would have had to ensure that its cybersecurity program substantially aligned with any revisions of relevant frameworks within one year after revisions were made .
When Governor DeSantis vetoed the legislation , he provided a letter explaining his reasoning . He took issue with the requirement that companies only had to “ substantially comply with minimum cybersecurity
continuedonpage59
5 8 S E P - O C T 2 0 2 4 | H C B A L A W Y E R