• Rep. Mike Giallombardo introduced legislation to protect various entities from liability in cyberattacks, provided they comply with established cybersecurity standards. 
• The bill specifies that entities like healthcare providers under specific regulations (e.g., HIPAA) must tailor their cybersecurity measures to these regulations, should the bill be adopted.
• Giallambardo’s proposal also states that failure to implement these programs is not evidence of negligence, and the burden of proof in legal cases lies with the defendant entity to show compliance.

Amid a rash of recent statewide cybersecurity attacks, Rep. Mike Giallombardo introduced legislation on Wednesday that would protect counties, municipalities, commercial entities, and third-party agents from liability in the event of a cyberattack, provided they comply with designated cybersecurity standards.

The core of the bill requires that the included entities align with established cybersecurity frameworks, such as those from the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). Compliance requirements vary based on the size of the entity and the sensitivity of the data they handle.

Entities under specific regulations, like those bound by the Health Insurance Portability and Accountability Act (HIPAA), would be required to tailor their cybersecurity measures to meet these regulations, should the bill be adopted.

“A sole proprietorship, corporation, association, or other commercial entity that acquires, maintains, stores, or uses personal information is not liable in connection with a cybersecurity incident if the entity substantially complies with [cybersecurity frameworks],” reads the bill.

The bill does state, however, that it does not establish a private cause of action for cybersecurity breaches,  meaning that failing to comply with the cybersecurity program is not considered direct evidence of negligence following a breach. Moreover, in legal cases related to cybersecurity incidents, the defendant entity must prove that it complied with the required cybersecurity standards.

“Failure of a county, municipality, or commercial entity to substantially implement a cybersecurity program that is in compliance with this section is not evidence of negligence and does not constitute negligence per se,” Giallambardo’s proposal states. “In an action in connection with a cybersecurity incident, if the defendant is an entity covered by [the proposal], the defendant has the burden of proof to establish substantial compliance.”

Last month, Florida’s First Judicial Circuit, comprised of Escambia, Okaloosa, Santa Rosa, and Walton counties, suffered a cybersecurity breach, with hackers allegedly gaining access to personal data and a network map of the court’s systems with local and remote service credentials.

Cybersecurity breaches have also plagued Florida’s healthcare facilities. Tampa General Hospital (TGH), one of Florida’s largest hospitals, announced that it suffered from a cybersecurity breach between May 12 and May 30 of this year, disclosing that an unauthorized third party accessed TGH’s network and obtained patient information.

Elsewhere, HCA Healthcare, which has 46 hospitals in Florida, reported in July that approximately 11 million individuals nationwide may have had their personal information compromised by an identified data leak. Similarly, the U.S. Department of Health and Human Services launched an investigation into a suspected ransomware attack against Tallahassee Memorial Healthcare in April that reportedly compromised the personal data of more than 20,000 individuals.

In October, Florida Department of Management Services (DMS) Secretary Pedro Allende told the House State Administration & Technology Appropriations Subcommittee that the agency is seeking $57 million in the next state budget for cybersecurity services. DMS is seeking $35 million in local government cybersecurity grants — a $5 million increase from the agency’s 2021 allocation — to assist local governments in their compliance with cybersecurity standards.