Florida Safe Harbor Cyber ​​Security Law Advances

The Commerce Committee of the Florida House of Representatives referred to the Cyber ​​Security Incident Liability Act (HB 473)last week to the Subcommittee on State Management and Technology Appropriations.

The bill, which was introduced in November by Mike Giallombardo, R-Coral Gables, chairman of the state Subcommittee on Energy, Communications and Cybersecurity, would provide a safe harbor for government agencies and a list of entities that acquire, manage and use personal information for liability for cyber incidents. if the entity “substantially” complies with a cyber protection framework and regulations applicable to the individual entity.

These entities, ranging from sole proprietorships and partnerships to corporations, cooperatives, associations and third-party agents, could implement any of the following under the proposed law:

• The National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity

• NIST Special Publication 800-171

• NIST Special Publications 800-53 and 800-53A

• The Federal Risk and Authorization Management Program Safety Assessment Framework

• The Center for Internet Security is crucial

• The International Organization for Standardization/International Electrotechnical Commission 27000 series (ISO/IEC 27000) family of standards

By being “substantially aligned” at the state and federal levels with laws such as the Health Insurance Portability and Accountability Act 54 of 1996, security requirements in 45 CFR part 160 and part 164 55 subparts A and C or Title V of the Gramm-Leach Bliley Act of 1999, Pub. L. 57 no. 106-102.

To achieve the proposed law’s presumption of liability, they must also approve any revisions “to two or more of the frameworks or standards to which the entity complies” within one year of the last publication date.

The number of lawsuits regarding cyber attacks is increasing

Florida, like every other state, has seen its fair share of cyberattacks, including an apparent ransomware attack on Tampa General that was stopped before the files were encrypted.

While that hospital thwarted a total lockout and extortion, at least 1.2 million patients and staff were exposed to personally identifiable information and protected health data in the files the cybercriminals stole after breaking into its network, according to a WFLA story in July.

Lawsuits often follow major data theft incidents. HCA Healthcare was sued that same month over a data breach that potentially affected 11 million people involved in care at 170 of its hospitals.

According to the U.S. District Court for the Middle District of Tennessee, two HCA patients living in Florida, Gary Silvers and Richard Marous, alleged that HCA “failed to use reasonable security procedures and practices appropriate to the nature of the sensitive information it maintained.”

Multiple movements were filed in September and the case is still ongoing.

Liability at the state level

As Florida moves forward on safe harbors for cyber-hygienic, security-compliant organizations, it joins a handful of other states that have introduced similar bills, along with Ohio, Utah and Connecticut that have passed data liability protection laws.

In 2018, the state of Ohio codified the nation’s first data protection law, which provides companies with “an affirmative defense to some types of data breach claims where the company had reasonable security measures in place at the time of the breach,” according to David Oberly, counsel. who now leads Baker Donelson’s multi-disciplinary biometrics team and provides legal advice on a range of privacy and security issues.

He noted in 2019 that Ohio’s then-new law was as curt as Florida’s current Giallombardo proposal, based on how an entity meets “substantial” adequacy with frameworks.

“The DPA provides no further discussion or explanation as to how a company can successfully determine that it has implemented sufficient cybersecurity measures to qualify itself for the affirmative defense,” he wrote for Ohio Lawyer in an article posted by the Ohio Bar.

“Additionally, the law does not provide additional guidance on how a company can successfully determine that its cybersecurity plan is ‘reasonably compliant’” with a framework.