The Florida legislature passed a bill that provides immunity to companies that suffer a data breach. The immunity is conditioned on the company: (1) complying with the notice requirements of Florida’s data breach notification law, and (2) maintaining a cybersecurity program that tracks certain industry standards or legal requirements. The legislature passed the proposal (House Bill 473) on March 5, and the bill awaits the Florida governor’s decision. The legislation is the end product of Shook’s Privacy and Cybersecurity Team’s work with its partners and the Florida Legislature. Together, we crafted a bill encouraging companies to adopt cybersecurity measures to protect personal information by offering incentives that mitigate the costs of a tidal wave of questionable data breach class action lawsuits.
This alert explains how businesses qualify for immunity, what the immunity covers, where the bill goes from here [spoiler: it likely becomes law], and how it builds on safe harbors in other states. Along the way, we flag limitations that plaintiffs' lawyers will likely try to impose.
Legislative Background
HB 473 is the next step in a trend of states incentivizing data security by linking it to protection from the overwhelming costs of data breach class actions. The bill builds on laws enacted in Ohio, Utah, and Connecticut that provide limited protection to companies that comply with appropriate security controls but face data breach claims. Ohio began the trend by providing an affirmative defense against tort claims alleging the company’s failure to implement reasonable controls caused a personal data breach. Utah expanded the concept to cover non-tort claims and allegations of a delayed response but carved out situations where the company failed to act despite notice of a threat. Connecticut went the opposite direction, narrowing the safe harbor by still allowing tort claims but eliminating the availability of punitive damages (unless the issue was caused by gross negligence or willful/wanton conduct).
Florida’s bill goes further than the Ohio, Utah, and Connecticut laws. HB 473 provides (arguably) immunity for more types of claims, includes no carve outs for not addressing known threats, and does not condition immunity on actual compliance with a cybersecurity program.
Qualifying for Immunity
Under the bill, a company is entitled to immunity if it:
- Provides Required Notices. The company must “substantially comply” with the individual, regulatory, and consumer reporting agency notice requirements of Florida’s data breach notification law—the Florida Information Protection Act (FIPA). To put a finer point on this, HB 473 does not require compliance with all of FIPA, just FIPA’s notification provisions.
- Adopts a Cybersecurity Program. A company must “adopt” a cybersecurity program that “substantially aligns” with either a current industry standard/framework (e.g., NIST) or an applicable state/federal law (e.g., HIPAA or GLBA).
- Updates its Cybersecurity Program. The company must promptly (within one year) update its cybersecurity program to “substantially align” with any changes to the applicable industry standard/framework, or law.
The bill is flexible in ways that are favorable to business. First, the bill broadly defines industry frameworks by including common ones (NIST, CIS Security Controls, HITRUST CSF, etc.) and a broad catchall: “Other similar industry frameworks or standards.” Second, the bill does not require perfection but rather “substantial” compliance or alignment.
Nevertheless, we anticipate plaintiffs’ lawyers will try to make obtaining immunity more difficult than the legislature intended by challenging whether companies “substantially” complied with FIPA’s notice requirements. Demonstrating substantial compliance with FIPA’s notice requirements sounds straight-forward enough, but raising this defense by a motion to dismiss will present challenges. Plaintiffs will argue that they need discovery into the data incident (e.g., whose data was impacted, how many individuals, and what data elements) to properly evaluate whether the company substantially complied with FIPA’s notice provisions. But, as a practical matter, a company could share certain forensic data with plaintiff’s counsel (confidentially), revealing that the claim is not worth the plaintiff investing further resources.
Similarly, we expect plaintiffs’ counsel will try to muddy the waters on whether the defendant substantially aligned with an applicable cybersecurity law or standard/framework. They will contend the assessment requires a balancing test by pointing to the multi-factor test in HB 473’s proposed § 768.401(4). But HB 473 also includes an objective method for meeting the substantial alignment standard: “providing documentation or other evidence of an assessment”—conducted by the company or a third party—“reflecting that the [company’s] . . . cybersecurity program is substantially aligned with the relevant framework, or standard, or with the applicable . . . law or regulation.” That provision would be superfluous if a multifactor test was still required, and such a reading is contrary to the legislature’s goal of reducing litigation costs for companies making good faith security efforts.
Scope of Immunity
The bill provides sweeping immunity: a company “is not liable in connection with a cybersecurity incident.” But what does that mean in practice? The courts will have to determine the exact scope of immunity, including to which claims and plaintiffs will it apply.
Turning first to applicable plaintiffs, the law likely is limited to those with claims subject to Florida law. As for the in-scope claims, the sweeping language all but explicitly encompasses Florida common law claims (e.g., negligence, unjust enrichment, breach of implied contract) and Florida statutory claims (e.g., consumer protection and unfair practice). But federal claims are likely not implicated by the immunity provision because of the Supremacy Clause. Similarly, claims for breach of express contract (e.g., failure to meet security guarantees in terms and conditions) are also likely outside the bounds. Such contract claims can often be prevented by engaging cybersecurity counsel to ensure the contracts contain provisions disclaiming certain cybersecurity risks or avoiding specific guarantees.
Next Steps
Having passed both legislative chambers, the bill is halfway to becoming law. HB 473 now awaits action by Florida’s governor, who is expected to sign it or allow it to become law without his signature. The bill will take effect on the day it becomes law, and companies will receive immunity for any claim “filed on or after” that date. Otherwise stated, the key question is the timing of the lawsuit—not the breach.