CYBER CORNER

Government efforts to regulate cybersecurity have been criticized for often having the effect of punishing the victim. A bill pending in the Florida legislature takes a radically different approach.  

HB473 would offer a safe harbor against data breach litigation to businesses operating in Florida that maintain a robust level of cybersecurity in compliance with government and industry standards. The bill is known as the “Cybersecurity Incident Liability Act,” and it aims to incentivize businesses to stay current with their network security and data protection by providing an affirmative defense against tort claims arising out of data breaches.

Plaintiffs can file class action lawsuits against businesses that fall victim to a breach, even after the company provides notification and offers credit monitoring and identity theft protection to its customers. This legislation doesn’t prevent plaintiffs from doing that, but if a company can show that its practices are in substantial alignment with generally accepted cybersecurity standards, it will shield them from potential liability arising out of the breach.

Importantly, the legislation does not mandate specific Cybersecurity measures. Instead, the bill gives businesses the option to select from one of several recognized frameworks, including the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”) and The Center for Internet Security’s (“CIS”) Critical Security Controls. The safe harbor is also available to businesses that demonstrate compliance with Federal legislation such as HIPAA, Gramm Leach Bliley, or the Federal Information Security Modernization Act. This flexible approach considers the size of the business, the nature of its activities, the sensitivity of the data being held, and the resources available to implement improvements to security.  

Despite a slight drop in the final quarter of the year, ransomware attacks increased by 68% in 2023 to reach an all-time high, according to a report from Corvus, a leading underwriter of Cyber insurance. 

Drawing upon data from “leak sites” on the so-called “dark web” where cybercriminals ply their trade, this past year saw 4,496 victims of ransomware, up from 2,670 in 2022. However, Corvus Chief Information Security Officer Jason Rebholz hailed the recent success of law enforcement in apprehending threat actors, describing their efforts as having an “incredible impact” even so, Rebholz noted in an interview with the insurance news source Zywave that new forms of malware continue to proliferate, and businesses must remain vigilant. 

Corvus attributes an unexpected drop in ransomware events late in the year to disruptions of a notorious ransomware syndicate by law enforcement, along with efforts to neutralize a particularly virulent form of malware. Corvus also cautioned that not all victims of ransomware end up being publicized on the dark web, so the report carries a risk of underestimating the actual number of attacks that have taken place by as much as 41%. Threat actors continue to exploit vulnerabilities in corporate networks, and even companies like VMware, Cisco, and Citrix – household names in the technology sector – have found themselves on the receiving end of ransomware attacks.