Insights
Thought Leadership
April 1, 2024
Florida Legislature Passes Bill Providing for Data Breach Immunity
The Florida Legislature recently passed House Bill 473, which (as of March 28) is pending approval by the governor. If enacted, the bill will provide important new liability protections to businesses that suffer data breaches despite the adoption and implementation of meaningful data privacy and cybersecurity safeguards.
To benefit from the liability protections, businesses (including vendors that store, maintain or process personal information on behalf of a business) must meet the specific conditions outlined below:
- Notice Compliance: Businesses must substantially comply with the notice requirements under the Florida Information Protection Act.
- Cybersecurity Program: Businesses must adopt and implement a cybersecurity program that substantially aligns with recognized industry standards or applicable state or federal laws. The bill offers businesses numerous options, including the cybersecurity standards set forth in sectoral laws such as HIPAA (healthcare) or GLBA (finance) and various widely adopted third-party standards such as SOC-2 and HiTRUST. Notably, however, the legislation clarifies that the failure to implement such programs may not be used as evidence of negligence, does not constitute negligence per se and does not otherwise give rise to a private right of action.
- Program Updates: Businesses must update their cybersecurity program to align with any changes in industry standards or laws within one year.