A business tries to safeguard its networks, yet it still suffers a cyberattack compromising clients’ personal identification information. Should they be held civilly liable? The Florida Legislature said no last spring, provided the business can demonstrate those good-faith efforts.
HB 473 would have provided liability protection to local governments and businesses “that substantially compl(y) with the cybersecurity training, standards, and notification protocols under current law.” But Gov. Ron DeSantis vetoed it, saying it didn’t go far enough.
The bill required substantial compliance with recognized national cybersecurity standards. That “incentivizes doing the minimum when protecting consumer data,” unintentionally making private information less secure, DeSantis wrote.
But full compliance “is nearly impossible,” says bill sponsor Rep. Mike Giallombardo (R-Cape Coral), noting frequent changes to those standards and the challenge of ensuring that all employees receive all the required monthly training. “Hence, ‘substantial compliance’ was a crucial part of the bill to ensure its effectiveness.”
His bill was designed to be an incentive for businesses to do more to secure liability protection, he says.
Noting his opposition to “frivolous litigation,” DeSantis expressed concern that the law could hurt consumers who suffer a breach. He invited lawmakers to try again after working with the state’s Cybersecurity Advisory Council.
Giallombardo, a National Guard officer, says that if he’s reelected, he will do just that.