Jason Pill is a seasoned professional specializing in guiding businesses through diverse workplace challenges. He provides expert counsel on risk assessment, policy formulation, educational initiatives and contract drafting. Additionally, Pill represents clients in both state and federal courts, offering legal expertise when litigation becomes necessary.
Through this article Pill shares his insights on Florida's Cybersecurity Incident Liability Act (CILA), which aims to provide immunity for businesses facing data breaches by outlining criteria for compliance and aligning with cybersecurity frameworks, while also addressing the need for further clarity and the law's limitations in a broader context of data privacy litigation.
In the ever-changing landscape of data privacy law, Florida is one step closer to establishing immunity for businesses that suffer data breaches. The Florida Legislature recently passed Florida's Cybersecurity Incident Liability Act ("CILA"), HB 473, which can provide immunity from civil liability to companies that have suffered a data breach if they meet certain conditions. The bill is expected to be signed by Governor Ron DeSantis and become law in the coming weeks. If enacted, CILA would become one of the first acts of its kind in the country, perhaps serving as a model for other states to follow.
In response to the flood of data breach litigation over the last few years, there has been a recent trend in some states to enact laws that provide limited protections for companies facing data breach claims. But Florida's CILA goes a bit further than most other states' laws, which makes it especially compelling for companies.
Under CILA, immunity is provided for both a covered entity and its third-party agent. A covered entity or third-party agent will not be liable in connection with a cybersecurity incident if it meets the following three criteria.
First, it must "substantially comply" with Fla. Stat. § 501.171(3)-(6), the Florida Information Protection Act (FIPA). Under FIPA, a covered entity must provide notice to Florida's Department of Legal Affairs for any breach of security that affects 500 or more individuals in Florida, "as expeditiously as practicable" but no later than 30 days after the breach. FIPA also contains other technical requirements for information entities must include in the notice and provide to the department when requested. Second, and the criteria to engender the most discussion (and litigation), the covered entity must adopt a cybersecurity program that "substantially aligns" with the current standards, guidelines or regulations of various frameworks, including:
- The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity
- NIST special publication 800-171
- NIST special publications 800-53 and 800-53A
- The Federal Risk and Authorization Management Program security assessment framework
- The Center for Internet Security (CIS) Critical Security Controls
- The International Organization for Standardization/ International Electrotechnical Commission 27000-series (ISO/ IEC 27000) family of standards
- HITRUST Common Security Framework (CSF)
- Service Organization Control Type 2 (SOC 2) Framework
- Secure Controls Framework
To maintain immunity, a covered entity must ensure that its cybersecurity program substantially aligns with any revisions of relevant frameworks within one year after revisions are made
If the covered entity is regulated by the state or federal government (or both), it may also take advantage of immunity if it has adopted a cybersecurity program that "substantially aligns" with the current version of the following laws:
The Health Insurance Portability and Accountability Act of 1996 security requirements in 45 C.F.R. part 160 and part 164 subparts A and C
- Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, as amended
- The Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283
- The Health Information Technology for Economic and Clinical Health Act requirements in 45 C.F.R. parts 160 and 164
- The Criminal Justice Information Services (CJIS) Security Policy
- Other similar requirements mandated by state or federal law or regulation
CILA identifies how a covered entity may demonstrate “substantial alignment” with any of these frameworks by providing documentation or other evidence of an assessment, whether conducted internally or by a third party, reflecting that the covered entity’s cybersecurity program is substantially aligned. While CILA focuses on how a covered entity may document its compliance, CILA does not provide great detail on when a company “substantially aligns” with these current standards, as opposed to, for example, only “partially aligning.” Assuming CILA is enacted, this issue invariably will be analyzed by courts that may provide needed clarity on when a covered entity complies. For now, though, the issue of “substantial alignment” will be a source of substantial litigation fodder.
Third, to maintain immunity, a covered entity must ensure that its cybersecurity program substantially aligns with any revisions of relevant frameworks within one year after revisions are made.
Once signed by Governor DeSantis, the law will take effect immediately in Florida. Importantly, it will apply to any lawsuit filed on or after the date of signing as well as to any pending class action in which class certification has not yet occurred.
CILA is a promising piece of legislation for companies dealing with personal data and operating in Florida. Although it provides a roadmap on how companies should structure and implement their cybersecurity programs to take full advantage of the immunity being offered, more clarity is needed on the nuances. Specifically, the exact scope and reach of that immunity will likely have to come from Florida courts as they consider what constitutes “substantial compliance” or “substantial alignment.” Finally, it is significant to note that CILA likely only applies in Florida, thus reducing its impact on nationwide class actions or larger data breaches impacting individuals beyond Florida’s borders. As such, companies must remain mindful of compliance with other states’ data privacy laws and not treat CILA as a complete shield. But at least in Florida, a path to immunity from data breach lawsuits seems to have emerged.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.