A bill recently passed that, once signed, could provide immunity against class action lawsuits.
What happened
Florida House Bill 473 was recently passed in March. While the bill still awaits Governor Ron DeSantis’ final decision, it’s expected to be signed into law.
The bill would provide immunity against class action lawsuits for certain companies that face data breaches. Immunity isn’t automatically granted, instead it’s given if organizations:
- Comply with Florida’s breach notification requirements
- Maintain a cybersecurity program that tracks industry standards and legal requirements for data security.
Going deeper
The bill is designed to be friendlier towards companies that were impacted by a data breach despite having reasonable safeguards in place.
Across the nation, class action lawsuits have surfaced in droves as a response to data breaches that impact customers or patients. Data breaches themselves can be expensive and damaging, yet many companies aren’t up to par with data protection standards.
Related: Study shows the cost of data breaches at an all-time high
The bill incentivizes security efforts by linking them to additional protections. If it passes, Florida will join a small group of other states, including Ohio, Utah, and Connecticut, that similarly protect organizations that comply with security regulations.
While the bill is business-friendly, immunity is still only provided in certain situations. Companies must provide notice and follow reporting guidance under the Florida Information Protection Act. Companies must also comply with industry standards, such as the NIST, or with the company’s applicable federal law, like HIPAA.
If there are changes to the framework or law, companies must become in alignment within a year. While the bill promotes compliance, it provides flexibility for businesses by allowing them to choose which industry standard they follow. It also doesn’t force organizations to be entirely compliant; the bill states organizations must have “substantial” compliance. Even though organizations must be substantially compliant, the potential law doesn’t describe what “substantial” compliance means, which could lead to lawsuits trying to prove an organization did not substantially comply with regulations.
Related: Getting started with the NIST cybersecurity framework
Why it matters
Data breaches have been increasing as malicious actors become more sophisticated. Organizations also increasingly rely on third parties for outsourcing tasks, usually operational, administrative, or technical. When a breach occurs, it can be a domino effect, impacting customers or patients associated with various companies.
As breaches increase, so do class action lawsuits, often demanding stricter security measures and financial compensation. These lawsuits have to prove the company was negligent or contributed to the breach in some way. With rising breaches and cases, when a company is impacted, it can have huge legal and financial consequences.
The big picture
The bill from Florida could be helpful for many organizations in the state. The government needs to encourage compliance and security, but the type of security deployed can be the biggest indicator of whether an organization will stay secure.
While many companies use security software, it’s important to use a system that is reliable and trustworthy. Many attacks are conducted via email, making an email security service necessary. Ultimately, it could prevent a devastating breach.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
