Josh Hansen and Alfred Saikali of Shook, Hardy & Bacon write:
The Florida legislature passed a bill that provides immunity to companies that suffer a data breach. The immunity is conditioned on the company: (1) complying with the notice requirements of Florida’s data breach notification law, and (2) maintaining a cybersecurity program that tracks certain industry standards or legal requirements. The legislature passed the proposal (House Bill 473) on March 5, and the bill awaits the Florida governor’s decision. The legislation is the end product of Shook’s Privacy and Cybersecurity Team’s work with its partners and the Florida Legislature. Together, we crafted a bill encouraging companies to adopt cybersecurity measures to protect personal information by offering incentives that mitigate the costs of a tidal wave of questionable data breach class action lawsuits.
The article provides an overview of the provisions and points out that this is part of a legislative trend. with Florida being the latest state to try to link protection from data breach class action lawsuits to improving data security. The authors explain:
The bill builds on laws enacted in Ohio, Utah, and Connecticut that provide limited protection to companies that comply with appropriate security controls but face data breach claims. Ohio began the trend by providing an affirmative defense against tort claims alleging the company’s failure to implement reasonable controls caused a personal data breach. Utah expanded the concept to cover non-tort claims and allegations of a delayed response but carved out situations where the company failed to act despite notice of a threat. Connecticut went the opposite direction, narrowing the safe harbor by still allowing tort claims but eliminating the availability of punitive damages (unless the issue was caused by gross negligence or willful/wanton conduct).
Florida’s bill goes further than the Ohio, Utah, and Connecticut laws. HB 473 provides (arguably) immunity for more types of claims, includes no carve outs for not addressing known threats, and does not condition immunity on actual compliance with a cybersecurity program.
Read more at JDSupra.
DataBreaches suspects that some of these legislative developments in Florida and other states may come as a surprise to some readers. Do these bills actually protect consumers by reducing the risk of data breaches because companies invest more and comply more with data security, or do they just give entities protection from being held accountable while consumers suffer the consequences of breaches? In Florida’s case, Florida also has a law that bans state agencies and county or municipalities experiencing a ransomware incident from paying or otherwise complying with a ransom demand in the event of a ransomware attack. Threat actors might presumably have less motivation to attack Florida government entities if the entities cannot pay any ransom. And now threat actors would not be able to really pressure victims to pay with the threat that consumers or patients will start class action lawsuits.
Assuming HB 473 is signed into law, is Florida reducing the risk of attacks on Floridians by banning payments by government entities and immunizing a broad swath of entities from data breach lawsuits if they substantially comply with cybersecurity standards established by federal and industry standards? Time will tell.