News

Florida’s H.B. 473 Cybersecurity Incident Liability Act

June 18, 2024

Cybersecurity, Incident Response, and Liability: Florida's H. B. 473

Cybersecurity is a complex and dynamic field where new threats emerge daily, often outpacing traditional security measures. For Businesses, data breaches can have severe consequences, which include financial losses, reputational damage, and legal liabilities. When sensitive information, such as personal data or financial records, is compromised, it can lead to identity theft, fraud, and other malicious activities. In response to these risks, many states have enacted legal safe harbor provisions for companies that adhere to specific cybersecurity protocols in case of a security breach. Historically, there has been no differentiation under the law for firms that have invested in their cybersecurity programs and “done the right thing” from those who have taken a laissez faire approach to their security programs.

In this "imperfect world," no organization can guarantee absolute protection against all cyber threats due to evolving attack methods, sophisticated threat actors, and unknown vulnerabilities in systems and applications. In 2023 alone, there were around 2365 cyber-attacks, which impacted more than 343 million individuals. Apart from compromising sensitive data and endangering the safety of users and customers, cyber-attacks and data breaches result in significant financial consequences. The potential costs associated with cyber incidents and data breaches are projected to reach an astronomical $10.5 trillion by the year 2025. It costs an organization $1.58 million on average to detect and mitigate a data breach. Additional factors such as legal fees, regulatory fines, operational disruption, and reputational damage exacerbate the problem. In the average data breach, an organization loses $1.3 million.

Even in the face of these insurmountable odds, it is still crucial for companies to prioritize comprehensive security measures as part of their responsibility to safeguard their operations, assets, and customers' sensitive data. That said, how do you mitigate unknown threats and vulnerabilities? Punishing a company that diligently protected itself but still experienced a breach and subsequent customer lawsuits is akin to penalizing a careful driver for an accident caused by another's recklessness. In light of these complexities, laws similar to Florida’s H.B. 473 make sense as they provide a legal safe harbor for organizations that have taken substantial steps to protect themselves.

Florida H.B. 473 Introduces Cyber Immunity

To quote Bob Dylan, “the times they are a’ changin,” and Florida's proposed legislation HB 473 introduces the concept of immunity for government agencies and various entities from liability claims arising from data breaches during cyberattacks. This proposed legislation will shield organizations from legal action if the company meets certain criteria outlined in the law. 

Conditions for Cyber Immunity under HB 473

The key conditions for organizations to qualify for immunity under HB 473 include:

  1. Compliance with Florida Information Protection Act (FIPA): Organizations must substantially comply with the Florida Information Protection Act, which typically requires them to notify affected individuals and relevant authorities within a specified period after discovering a breach affecting 500 or more individuals in Florida.
  2. Maintaining a Cybersecurity Program: Organizations must also demonstrate that they have a cybersecurity program in place that substantially satisfies recognized industry standards or applicable federal or state legal requirements, such as NIST frameworks, CIS Critical Security Controls, HITRUST CSF, HIPAA, Title V of The Gramm-Leach-Bliley Act, and others. This program should include regular security assessments, data encryption, access controls, employee training, incident response plans, and compliance with relevant industry regulations.
  3. Ensuring Compliance with Updated Standards and Revisions: To uphold immunity under the law, organizations must also ensure that their cybersecurity program is significantly aligned with any updates to relevant frameworks within one year of implementing those revisions.

The saying in cybersecurity is that “a hacker only has to be right once,” while companies have to get it right all the time. In this complex game of cat and mouse, the cat (representing the company) is bound to lose eventually as the nimble mouse (the hackers) consistently finds ways to outmaneuver the company’s defenses and discover novel avenues of attack. 

Analysis

Florida’s House Bill 473 encourages companies to adopt enhanced cybersecurity measures by granting them a degree of immunity against the onslaught of tort claims and class action lawsuits that typically follow a data breach. The law does not prescribe a “minimum” threshold or baseline requirements for companies to aim for as a means of achieving “compliance,” which can, in some instances, create more confusion. Rather, the purpose of the law is to incentivize companies to self-direct their cybersecurity programs in ways that they consider to be of the highest value in terms of preventing breaches and safeguarding customer data. 

Furthermore, the tort principle of “comparative negligence” may come into play in the decision-making process for companies. This principle usually splits fault between a plaintiff and a defendant by percentage. Under the new law, companies not deemed “substantially aligned” with their relevant cybersecurity frameworks could still be assigned a percentage of immunity commensurate with the degree of care they have taken to improve their cybersecurity programs. Since the idea is to incentivize companies to continually maintain and progress their security posture, even if they are not “substantially aligned” with their applicable security frameworks, incremental improvements could provide protective value for them on the margin. That is to say, a measure that improves security posture could have a requisite possible increase in the percentage of immunity they are likely to be found eligible for by the court in a suit brought according to a data breach. Regardless of where an organization may be in this respect, it always behooves them to invest in cybersecurity. 

Benefits:

  1. Incentive for Compliance: The immunity provision incentivizes companies to invest in robust cybersecurity measures and adhere to data breach notification requirements, ultimately enhancing data protection efforts. By prioritizing these measures to qualify for immunity, businesses reduce their vulnerability to data breaches and contribute to a more secure digital ecosystem.
  2. Reduced Legal Risks: Companies that qualify for immunity may experience reduced legal risks and financial burdens associated with defending against data breach-related lawsuits. This strongly incentivizes companies to invest in cybersecurity as part of their overall risk management strategy.
  3. Reduced Insurance Premiums: One of the significant advantages of Florida's HB 473 is the potential for reduced insurance premiums for businesses. Insurance companies assess risk factors when determining premiums, including an organization's cybersecurity posture and history of data breaches. By providing immunity under certain conditions, the legislation incentivizes businesses to invest in robust cybersecurity measures and demonstrate compliance with data breach notification requirements. This proactive approach can lead to lower perceived risk by insurers, reducing premiums for cyber insurance policies. The due diligence required by the insurance companies who write these policies can also help companies satisfy the burden of proof that the law places on them to attest to their cybersecurity stance when defending themselves in court.

Concerns:

  1. Potential Loopholes: Critics of the legislation argue that the immunity provision could create loopholes that allow negligent companies to escape accountability for data breaches, especially if they can demonstrate minimal compliance with cybersecurity standards. The text of HB 473 reads: “The bill does not establish a private cause of action. It provides that the failure of a county, municipality, other political subdivision of the state, covered entity, or third-party agent to implement a cybersecurity program as specified in the bill substantially is not evidence of negligence and does not constitute negligence per se.”  This means that the bill does not define what constitutes a violation of the law so they can seek a remedy, giving a lot of latitude to what incidents are subject to legal action. Determining whether a company meets the required standards for immunity can be complex and subjective, leading to potential disputes and inconsistencies in enforcement. The devil, as always, will be in the details and how the courts interpret the law. 
  2. Impact on Consumer Rights: Immunity for companies could impact consumer rights, potentially limiting avenues for affected individuals to seek compensation or hold companies accountable for data breach incidents. It is important to note here that it will be critical for the courts to keep the balance of consumer rights vs. preventing frivolous suits in mind. Proper implementation will ideally lead to appropriate recompense for claimants but also send the message that claims with little or no standing will be dismissed. If the law is serially interpreted in the courts in favor of businesses that have legitimately questionable cybersecurity practices, it will wind up working counter to its stated purpose.

Conclusion

While complete protection against all cyber threats may be unattainable, effective risk management strategies are essential for mitigating potential damages. Florida's proposed legislation acknowledges this reality by incentivizing businesses to proactively manage cybersecurity risks through preventive measures, incident response preparedness, and compliance with legal requirements.

Florida's HB 473 presents an opportunity for the Florida courts to show businesses the benefit and return on investment of enhancing their resilience against data breaches while navigating the complexities of the cybersecurity landscape. By reducing insurance premiums and promoting good cyber hygiene practices, the legislation fosters a proactive approach to risk management in an environment where absolute security is elusive. How well the bill achieves this will depend on how the courts handle the first cases under it. If they effectively demonstrate by their rulings that immunity or liability will be meted out properly based on fair assessments of the cybersecurity programs at issue, then companies will act accordingly. As organizations adapt to evolving cyber threats, leveraging data breach immunity alongside comprehensive cybersecurity strategies can strengthen their defenses, contribute to a more secure digital ecosystem, and foster an environment where companies and consumers are better off.

More News