The Florida House of Representatives Commerce Committee Cybersecurity Incident Liability Act (HB 473)submitted to the State Administration and Technology Appropriations Subcommittee last week.
The law, introduced in November by Mike Giallombardo (R-Coral Gables), chairman of the state’s Energy, Communications and Cybersecurity Subcommittee, would require government agencies and cyber incident liability to It provides a safe haven for a list of organizations that acquire, manage, and use . If the entity is “substantially” compliant with the cyber protection framework and the regulations governing the individual entity.
These entities, which range from sole proprietorships and partnerships to corporations, cooperatives, associations, and third-party agencies, could do any of the following under the proposed law:
National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity
NIST Special Publication 800-171
NIST Special Publications 800-53 and 800-53A
Federal Risk and Authorization Management Program Security Assessment Framework
Internet Security Critical Center
International Organization for Standardization/International Electrotechnical Commission 27000 Series (ISO/IEC 27000) family of standards
At the state and federal level, laws such as the Health Insurance Portability and Accountability Act of 1996, 54, the security requirements of CFR 45 Part 160 and Part 164, subparts A and C of 55, or the Gramm-Leach-Bliley Rule. 1999 Act, Pub. L. 57 No. 106-102 by “substantially consistent” with Title V.
To obtain a presumption of liability for the proposed law, it would also be necessary to adopt revisions to “two or more frameworks or standards to which companies comply” within one year from the date of the most recent promulgation.
Cyber attack lawsuits are rapidly increasing
Florida, like other states, has been plagued by cyberattacks, including an apparent ransomware attack on Tampa General that was stopped before files were encrypted.
The hospital thwarted a complete lockout and extortion, but at least 1.2 million patients and staff were exposed to personally identifiable information and protected health data in files stolen by cybercriminals who infiltrated their networks. He said he suffered. W.F.L.A. Story of July.
Lawsuits often follow large-scale data theft incidents. That same month, HCA Healthcare was sued over a data breach that may have affected 11 million healthcare workers across 170 of the company’s hospitals.
According to the U.S. District Court for the Middle District of Tennessee, plaintiffs Gary Silvers and Richard Marous, two Florida patients with HCA, believe that HCA “has not been able to do anything within reasonable limits appropriate to the nature of the confidential information it maintains.” “The company did not employ proper security procedures and practices.”
Several movement was filed in September and the lawsuit is ongoing.
Responsibility at the state level
Florida is developing a safe harbor for cyber-hygiene and security-compliant organizations, joining Ohio, Utah, and Connecticut, which have enacted data liability laws, and others who have proposed similar legislation. It will join several other states.
Attorney David Oberley said Ohio codified the nation’s first data protection law in 2018, requiring companies to “certify that if a company takes reasonable security measures in the event of a data breach, provided an “affirmative defense against claims of species data breaches.” He currently leads Baker Donelson’s multidisciplinary biometrics team and provides legal counsel on a variety of privacy and security issues.
He argued in 2019 that Ohio’s then-new law was as curt as Giallombardo’s current proposal in Florida, based on how entities met the framework’s “substantive” sufficiency. he pointed out.
“The DPA does not provide any further discussion or explanation of how a company can demonstrate that it has sufficient cybersecurity measures in place to qualify for an affirmative defense,” he said. I wrote to a lawyer in Ohio. article Posted by Ohio Bar.
“Furthermore, the law does not provide additional information on how companies can establish that their cybersecurity plans are ‘reasonably compatible’ with the Framework.”
Andrea Fox is a senior editor at Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.