On March 5, 2024, House Bill 473 for an act relating to cybersecurity incident liability was enrolled, after passing both the House of Representatives and the Senate on March 1, 2024, and March 5, 2024, respectively.

What are the main provisions of the bill?

Notably, the bill provides that a covered entity or third-party agent that acquires, maintains, stores, processes, or uses personal information is not liable in connection with a cybersecurity incident if the covered entity or third-party agent complies with the following:

• substantially complies with the relevant requirements of security of confidential personal information under Section 501.171 of the Florida Statutes; and
• has adopted a cybersecurity program that substantially aligns with the current version of any standards, guidelines, or regulations that implement applicable cybersecurity standards, such as the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, NIST special publication 800-171, and NIST special publications 800-53 and 800-53A, among others; or
• if regulated by the State or Federal Government has adopted a cybersecurity program that substantially aligns with the current version of the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Federal Information Security Modernization Act, and other similar requirements mandated by state or federal law or regulation, as applicable.

In addition, the bill provides that in order to demonstrate substantial alignment with a framework or standard, the covered entity or third-party agent may provide documentation or other evidence of an assessment, conducted internally or by a third party, reflecting that the covered entity's or third-party agent's cybersecurity program is substantially aligned with the relevant framework or standard or with the applicable state or federal law or regulation.

The bill further sets out the factors to be considered when determining whether a covered entity's or third-party agent's cybersecurity program is in substantial alignment:

• the size and complexity of the covered entity or third-party agent;
• the nature and scope of the activities of the covered entity or third-party agent; and
• the sensitivity of the information to be protected.

Covered entities and third-party agents also need to revise their cybersecurity programs in order to maintain substantial alignment with relevant frameworks or standards or of applicable state or federal laws or regulations and retain protection from liability.

You can read the bill here and track its progress here.