Florida cybersecurity safe harbor bill advances – Healthcare IT News


Photo: Eivaisla/iStock/Getty Images Plus
The Florida House of Representatives’ Commerce Committee referred the Cybersecurity Incident Liability Act (H.B 473), to the State Administration & Technology Appropriations Subcommittee last week.
Introduced in November by Mike Giallombardo, R-Coral Gables, the chair of the state’s Energy, Communications & Cybersecurity Subcommittee, the law would provide safe harbor to government agencies and a list of entities that acquire, manage and use personal information for cyber incident liability if the entity is “substantially” compliant with a cyber protection framework and the regulations governing the individual entity.
Those entities, ranging from sole proprietors and partnerships to corporations, cooperatives, associations and third-party agents, can implement any of the following under the proposed law:
The National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.
NIST special publication 800-171.
NIST special publications 800-53 and 800-53A.
The Federal Risk and Authorization Management Program security assessment framework.
The Center for Internet Security Critical.
The International Organization for Standardization/International Electrotechnical Commission 27000-series (ISO/IEC 27000) family of standards.
By being “substantially aligned” at the state and federal level to laws like the Health Insurance Portability and Accountability Act 54 of 1996 security requirements in 45 C.F.R. part 160 and part 164 55 subparts A and C or Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. 57 No. 106-102.
To gain the proposed law’s presumption against liability, they must also adopt any revisions “of two or more of the frameworks or standards with which the entity complies” within one year after the latest publication date.
Florida, like any other state, has seen its share of cyberattacks, including an apparent ransomware attack on Tampa General that was stopped before its files were encrypted.
While that hospital thwarted a total lockout and extortion, at least 1.2 million patients and staff suffered the exposure of personally identifiable information and protected health data in the files the cybercriminals stole after breaking into the network, according to a WFLA story in July.  
Lawsuits often follow major data theft incidents. HCA Healthcare was sued that same month for a data breach that may have impacted 11 million people affiliated with care at 170 of its hospitals.
According to the U.S District Court in Middle District of Tennessee, two HCA patients living in Florida plaintiffs Gary Silvers and Richard Marous alleged that HCA “did not use reasonable security procedures and practices appropriate to the nature of the sensitive information it was maintaining.”
Several motions were filed in September and the case is ongoing.
As Florida moves forward on safe harbors for cyber hygienic, security-compliant organizations, it joins a handful of other states that proposed similar bills, along with Ohio, Utah and Connecticut which have enacted data liability protection laws.
In 2018 the state of Ohio codified the nation’s first data protection act providing businesses with “an affirmative defense to some forms of data breach claims where the business has in place reasonable security measures at the time of the breach,” according to David Oberly, counsel who now leads Baker Donelson’s multidisciplinary Biometrics Team and provides legal counsel on a range of privacy and security issues.
He noted in 2019 that the then-new law in Ohio was as similarly curt as Giallombardo’s current proposal in Florida based on how an entity satisfies “substantial” sufficiency with frameworks.
“The DPA provides no further discussion or explanation as to how a company can successfully establish that it has implemented sufficient cybersecurity measures to make itself eligible for the affirmative defense,” he wrote for Ohio Lawyer in an article posted by the Ohio Bar.
“Moreover, the act fails to provide any additional information regarding how a company can successfully establish that its cybersecurity plan ‘reasonably conforms'” with a framework.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.
More Whitepapers
More Webinars


© 2024 Healthcare IT News is a publication of HIMSS Media

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology Californians get hacked all the time. The state’s top cybersecurity job is vacant In summaryGov. Newsom has yet to appoint a commander who is tasked with informing businesses and…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *