BUSINESSMANAGEMENTREVIEW.COMOCTOBER 202419· The Federal Risk and Authorization Management Program security assessment framework· The Center for Internet Security (CIS) Critical Security Controls· The International Organization for Standardization/International Electrotechnical Commission 27000-series (ISO/IEC 27000) family of standards· HITRUST Common Security Framework (CSF)· Service Organization Control Type 2 (SOC 2) Framework· Secure Controls FrameworkIf the covered entity is regulated by the state or federal government (or both), it may also take advantage of immunity if it has adopted a cybersecurity program that "substantially aligns" with the current version of the following laws:· The Health Insurance Portability and Accountability Act of 1996 security requirements in 45 C.F.R. part 160 and part 164 subparts A and C· Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, as amended· The Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283· The Health Information Technology for Economic and Clinical Health Act requirements in 45 C.F.R. parts 160 and 164· The Criminal Justice Information Services (CJIS) Security Policy· Other similar requirements mandated by state or federal law or regulationCILA identifies how a covered entity may demonstrate "substantial alignment" with any of these frameworks by providing documentation or other evidence of an assessment, whether conducted internally or by a third party, reflecting that the covered entity's cybersecurity program is substantially aligned. While CILA focuses on how a covered entity may document its compliance, CILA does not provide great detail on when a company "substantially aligns" with these current standards, as opposed to, for example, only "partially aligning." Assuming CILA is enacted, this issue invariably will be analyzed by courts that may provide needed clarity on when a covered entity complies. For now, though, the issue of "substantial alignment" will be a source of substantial litigation fodder. Third, to maintain immunity, a covered entity must ensure that its cybersecurity program substantially aligns with any revisions of relevant frameworks within one year after revisions are made.Once signed by Governor DeSantis, the law will take effect immediately in Florida. Importantly, it will apply to any lawsuit filed on or after the date of signing as well as to any pending class action in which class certification has not yet occurred.CILA is a promising piece of legislation for companies dealing with personal data and operating in Florida. Although it provides a roadmap on how companies should structure and implement their cybersecurity programs to take full advantage of the immunity being offered, more clarity is needed on the nuances. Specifically, the exact scope and reach of that immunity will likely have to come from Florida courts as they consider what constitutes "substantial compliance" or "substantial alignment." Finally, it is significant to note that CILA likely only applies in Florida, thus reducing its impact on nationwide class actions or larger data breaches impacting individuals beyond Florida's borders. As such, companies must remain mindful of compliance with other states' data privacy laws and not treat CILA as a complete shield. But at least in Florida, a path to immunity from data breach lawsuits seems to have emerged. Jason Pill
< Page 9 | Page 11 >