In a surprising turn of events, Governor DeSantis vetoed Florida's Cybersecurity Incident Liability Act, HB 473. As explained in our prior alert, that bill would have provided immunity from civil liability to companies that suffered a data breach if they met certain conditions. The Governor's decision underscores the necessity for Florida companies to maintain robust cybersecurity measures.
On June 26, 2024, Governor DeSantis formally vetoed the legislation. In doing so, he provided a letter that revealed his rationale. He began by noting that that HB 473 would provide "broad liability protections for state and local governments and private companies." He took issue with the bill, however, because those governments and companies only had to "substantially comply with minimum cybersecurity standards in the event of a data breach or other cybersecurity event."
More precisely, Governor DeSantis explained his view that "the bill could result in Floridians' data being less secure as the bill provides across-the-board protections for only substantially complying with standards." He believed that this would "incentivize[] doing the minimum." Ultimately, Governor DeSantis argued that HB 473 "may result in a consumer having inadequate recourse if a breach occurs."
In concluding his letter, though, Governor DeSantis expressed a willingness to review "potential alternatives to the bill that provide a level of liability protection while also ensuring critical data and operations against cyberattacks are protected as much as possible." He encouraged interested parties to coordinate with the Florida Cybersecurity Advisory Council. With data breach litigation only continuing to increase across the country—and notably within the state of Florida, which remains a hotbed for data breach litigation—Florida legislators may pursue a narrower or more stringent bill in the future.
If HB 473 had become law, it would have pushed the envelope on a growing trend among states to enact greater protections for companies facing data breaches. Indeed, it would have provided a level of immunity for substantially complying companies. For now, that level of immunity appears to be out of reach. Based on the Governor's concluding remarks in his letter, though, legislators may pursue a similar bill in the future that could afford some level of immunity or heightened protections. The Phelps team will provide updates on developments, and businesses should remain vigilant and proactive in their cybersecurity efforts to manage risks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.