Florida cybersecurity safe harbor bill advances

The Florida House of Representatives’ Commerce Committee referred the Cybersecurity Incident Liability Act (H.B 473), to the State Administration & Technology Appropriations Subcommittee last week.

Introduced in November by Mike Giallombardo, R-Coral Gables, the chair of the state’s Energy, Communications & Cybersecurity Subcommittee, the law would provide safe harbor to government agencies and a list of entities that acquire, manage and use personal information for cyber incident liability if the entity is “substantially” compliant with a cyber protection framework and the regulations governing the individual entity.

Those entities, ranging from sole proprietors and partnerships to corporations, cooperatives, associations and third-party agents, can implement any of the following under the proposed law:

• The National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.

• NIST special publication 800-171.

• NIST special publications 800-53 and 800-53A.

• The Federal Risk and Authorization Management Program security assessment framework.

• The Center for Internet Security Critical.

• The International Organization for Standardization/International Electrotechnical Commission 27000-series (ISO/IEC 27000) family of standards.

By being “substantially aligned” at the state and federal level to laws like the Health Insurance Portability and Accountability Act 54 of 1996 security requirements in 45 C.F.R. part 160 and part 164 55 subparts A and C or Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. 57 No. 106-102.

To gain the proposed law’s presumption against liability, they must also adopt any revisions “of two or more of the frameworks or standards with which the entity complies” within one year after the latest publication date.

Cyberattack lawsuits proliferate

Florida, like any other state, has seen its share of cyberattacks, including an apparent ransomware attack on Tampa General that was stopped before its files were encrypted.

While that hospital thwarted a total lockout and extortion, at least 1.2 million patients and staff suffered the exposure of personally identifiable information and protected health data in the files the cybercriminals stole after breaking into the network, according to a WFLA story in July.  

Lawsuits often follow major data theft incidents. HCA Healthcare was sued that same month for a data breach that may have impacted 11 million people affiliated with care at 170 of its hospitals.

According to the U.S District Court in Middle District of Tennessee, two HCA patients living in Florida plaintiffs Gary Silvers and Richard Marous alleged that HCA “did not use reasonable security procedures and practices appropriate to the nature of the sensitive information it was maintaining.”

Several motions were filed in September and the case is ongoing.

Liability at the state level

As Florida moves forward on safe harbors for cyber hygienic, security-compliant organizations, it joins a handful of other states that proposed similar bills, along with Ohio, Utah and Connecticut which have enacted data liability protection laws.

In 2018 the state of Ohio codified the nation’s first data protection act providing businesses with “an affirmative defense to some forms of data breach claims where the business has in place reasonable security measures at the time of the breach,” according to David Oberly, counsel who now leads Baker Donelson’s multidisciplinary Biometrics Team and provides legal counsel on a range of privacy and security issues.

He noted in 2019 that the then-new law in Ohio was as similarly curt as Giallombardo’s current proposal in Florida based on how an entity satisfies “substantial” sufficiency with frameworks.

“The DPA provides no further discussion or explanation as to how a company can successfully establish that it has implemented sufficient cybersecurity measures to make itself eligible for the affirmative defense,” he wrote for Ohio Lawyer in an article posted by the Ohio Bar.

“Moreover, the act fails to provide any additional information regarding how a company can successfully establish that its cybersecurity plan ‘reasonably conforms'” with a framework.