Florida Legislature Proposes Legal Protections Against Data Breach Lawsuits

Health ITSecurity reports that the Florida legislature is proposing legal protections for businesses facing claims of negligence in data breach suits.

The Cybersecurity Incident Liability Act was reported by the Commerce Committee in January and has been referred to the Judiciary Committee. It incentivizes cybersecurity by providing a safe harbor for entities that implement industry-recognized standards.

The bill applies to local governments, some commercial entities, and third-party agents. It includes healthcare organizations, which are frequently targeted.

If passed as written, the act would deem an entity not liable for a cybersecurity incident if it “substantially complies with measures to protect data containing personal information,” and adopts a cybersecurity program based on certain standards.

It is not a liability shield. It allows entities that qualify to use their cybersecurity program as an affirmative defense in a lawsuit alleging negligence and gain a presumption against liability.

According to House staff analysis, “Under the bill, any commercial entity or third-party agent that substantially complies with a combination of industry-recognized cybersecurity frameworks or standards, including the payment card industry data security standard, gains a presumption against liability in connection with a cybersecurity incident.”

In order to maintain the liability presumption, protected entities must revise their security frameworks annually according to revised standards. If a covered entity becomes a defendant in a lawsuit, it bears the burden of proving compliance with standards.