Florida's legislature passed a bill providing, under certain conditions, immunity to companies that suffer a data breach. Florida's Cybersecurity Incident Liability Act, HB 473, is part of an emerging national trend in which states are incentivizing data security by linking it to protection from the overwhelming costs of data breach class-action lawsuits.

Under HB 473, companies that have suffered a data breach can receive immunity from lawsuits. That immunity, however, is conditioned upon compliance with Florida's data breach notification law and maintaining a cybersecurity program that tracks certain industry standards or legal requirements. The legislature passed HB 473 on 5 March, and the bill now awaits a decision by Gov. Ron DeSantis.

Building on a state trend

HB 473 builds on laws enacted in Ohio, Utah and Connecticut that provide limited protection to companies that comply with appropriate security controls but face data breach claims.

Ohio began the trend by providing an affirmative defense against tort claims alleging a company's failure to implement reasonable controls caused a personal data breach. Utah expanded the concept to cover nontort claims and allegations of a delayed response, but carved out situations where the company failed to act despite notice of a threat.

Connecticut went the opposite direction, narrowing the safe harbor by still allowing tort claims but eliminating the availability of punitive damages — unless the issue was caused by gross negligence or willful/wanton conduct.

Florida's bill goes further than the Ohio, Utah and Connecticut laws. HB 473 arguably provides immunity for more types of claims, does not include carve outs for not addressing known threats and does not condition immunity on actual compliance with a cybersecurity program.

Qualifying for immunity

A company is entitled to immunity under HB 473 if it provides required notices, adopts a cybersecurity program meeting certain criteria and updates that program.

Turning first to the notices, the company must "substantially comply" with the individual, regulatory and consumer reporting agency notice requirements of Florida's data breach notification law — the Florida Information Protection Act. To put a finer point on this, the bill focuses only on the FIPA's notification provisions and does not require compliance with the act in its entirety.

Second, the company must also "adopt" a cybersecurity program that "substantially aligns" with either a current industry standard or framework like those of the U.S. National Institute for Standards and Technology or an applicable state or federal law, such as the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act.

Third, the company must update its cybersecurity program to "substantially align" with any changes to the relevant industry standard, framework or applicable law within one year of the published revisions.

The bill is flexible in ways that are favorable to businesses. It broadly defines industry frameworks — such as SOC 2, the Center for Internet Security Critical Security Controls and the HITRUST Common Security Framework — and offers a broad catchall for "other similar industry frameworks or standards." HB 473 also is business friendly because it does not require perfection but, rather, "substantial" compliance or alignment with the framework.

Nevertheless, we anticipate plaintiffs' lawyers will try to make obtaining immunity more difficult than the legislature intended by challenging whether companies "substantially" complied with the FIPA's notice requirements. Demonstrating substantial compliance sounds straightforward enough, but raising this defense by a motion to dismiss will present challenges. Plaintiffs will argue they need discovery into the data incident — such as whose data, how many individuals and what data elements were impacted — to properly evaluate whether the company substantially complied with the notice provisions. But, as a practical matter, a company could share certain forensic data with plaintiffs' counsel confidentially, revealing the claim is not worth the plaintiff investing further resources.

Similarly, we expect plaintiffs' counsel will try to muddy the waters on whether the defendant substantially aligned with an applicable cybersecurity law, standard or framework. They will contend the assessment requires a balancing test by pointing to the multifactor test in HB 473's proposed § 768.401(4). But HB 473 also includes an objective method for meeting the substantial alignment standard: "providing documentation or other evidence of an assessment, conducted internally or by a third-party, reflecting that the covered entity's or third-party agent's cybersecurity program is substantially aligned with the relevant framework or standard or with the applicable state or federal law or regulation."

That provision would be superfluous if a multifactor test was still required, and such a reading is contrary to the legislature's goal of reducing litigation costs for companies making good faith security efforts.

Scope of immunity

The bill provides sweeping immunity, stating a company "is not liable in connection with a cybersecurity incident." But what does that mean in practice? The courts will have to determine the exact scope of immunity, including to which claims and plaintiffs it will apply.

Turning first to applicable plaintiffs, the law likely is limited to those with claims subject to Florida law. As for the in-scope claims, the sweeping language all but explicitly encompasses Florida common law claims — negligence, unjust enrichment and breach of implied contract for example — and Florida statutory claims, such as consumer protection and unfair practice. But federal claims are likely not implicated by the immunity provision because of the U.S. Constitution's Supremacy Clause.

Similarly, claims for breach of express contract, such as failure to meet security guarantees in terms and conditions, are also likely outside the bounds. Such contract claims can often be prevented by engaging cybersecurity counsel to ensure the contracts contain provisions disclaiming certain cybersecurity risks or avoiding specific guarantees.

Next steps

Having passed both legislative chambers, HB 473 is halfway to becoming law. Gov. DeSantis is expected to sign the bill or allow it to become law without his signature. HB 473 would take effect on the day it becomes law, and companies will receive immunity for any claim "filed on or after" that date. Otherwise stated, the key question is the timing of the lawsuit — not the breach.