Originally published: April 8, 2024
Updated: July 2, 2024
On March 5, 2024, the Florida Legislature passed House Bill 473 (HB 473), a new law designed to shield businesses from data breach liability under certain conditions. To qualify for this protection, businesses would have needed to meet two criteria:
Substantial compliance with Florida's data breach requirements (Section 501.171 (3)-(6) of the Florida Statutes); and,
A cybersecurity program that substantially aligned with at least one recognized industry standard regulation.
The bill cited to several examples of acceptable standards including:
NIST Cybersecurity Framework
NIST Special Publications 800-171, 800-53, and 800-53A
CIS Critical Security Controls
ISO/IEC 27000 Family of Standards
HITRUST Common Security Framework (CSF)
SOC 2 Framework
HIPAA and the HITECH Act
Other comparable industry frameworks or relevant state/federal cybersecurity regulations
While HB 473 did not define the term "substantial alignment," it provided guidance for assessing compliance based on:
1. The size and complexity of the business;
2. The nature and scope of activities performed by the business; and,
3. The level of sensitivity of the information to be protected.
Governor DeSantis Vetoes HB 473
On June 26, 2024, Governor Ron DeSantis vetoed the bill, citing concerns that the "substantial compliance" standard was overly broad and could potentially lead to inadequate data security practices. In his veto statement, the Governor explained:
As passed, this bill could result in Floridians' data being less secure as the bill provides across-the-board protections for only substantially complying with standards. This incentivizes doing the minimum when protecting consumer data. While my Administration has prioritized policies to reduce frivolous litigation, the bill before me today may result in a consumer having inadequate recourse if a breach occurs.
Despite vetoing HB 473, Governor DeSantis expressed his openness to future legislation affording protection to businesses against data breach liability. In this respect, he encouraged stakeholders to collaborate with the Florida Cybersecurity Advisory Council to review potential alternatives to the bill that would better balance liability protection with robust consumer data safeguards.
Looking Ahead
The veto of HB 473 highlights the challenge of balancing business interests with adequate consumer data protection. While Florida lawmakers attempt to overcome this challenge, Florida businesses should continue to proactively prioritize the adoption of robust cybersecurity practices to mitigate the risk of potential data breaches and liability exposure.
The information provided here is for general informational purposes only and not intended as legal advice or opinion for any individual matter. Changes in laws or regulations may occur in the future and this content may not be the most up-to-date legal or other information. You should consult your own attorney for any legal advice you may require.
If you do not have an attorney and would like to explore how Venus Caruso can assist you, you can contact Venus by using the website’s contact form or by emailing her at venus@carusolawoffice.com.