Bill

Bill > H1183


FL H1183

Cybersecurity Incident Liability


summary

Introduced
02/26/2025
In Committee
04/04/2025
Crossed Over
Passed
Dead

Introduced Session

2025 Regular Session

Bill Summary

An act relating to cybersecurity incident liability; creating s. 768.401, F.S.; providing definitions; providing that a county, municipality, other political subdivision of the state, covered entity, or third- party agent that complies with certain requirements is not liable in connection with a cybersecurity incident under certain circumstances; requiring covered entities and third-party agents to implement revised frameworks, standards, laws, or regulations within a specified time period; providing that a private cause of action is not established; providing that the fact that a specified defendant could have obtained a liability shield or a presumption against liability is not admissible as evidence of negligence, does not constitute negligence per se, and cannot be used as evidence of fault; specifying that the defendant in certain actions has a certain burden of proof; providing applicability; providing an effective date.

AI Summary

This bill creates a new section of Florida law that addresses liability for cybersecurity incidents, establishing protections for counties, municipalities, political subdivisions, covered entities, and third-party agents. The bill defines key terms such as "covered entity" (which includes various types of commercial entities) and "cybersecurity standards or frameworks" (referencing multiple established security frameworks like NIST and ISO standards). It provides a liability shield for organizations that implement comprehensive cybersecurity measures, including specific policies, multi-factor authentication, and disaster recovery plans. Entities can obtain a presumption against liability in class action lawsuits by substantially complying with existing cybersecurity regulations or implementing approved security frameworks. The bill requires organizations to update their cybersecurity programs within one year of any relevant framework or regulatory revisions to maintain liability protection. Importantly, the bill does not create a private right of action, meaning individuals cannot sue directly under this law. If a civil action is filed, the fact that an organization could have obtained liability protection cannot be used as evidence of negligence. In such actions, the defendant bears the burden of proving substantial compliance with the bill's requirements. The law applies retroactively to class action lawsuits filed before, on, or after its effective date.

Committee Categories

Budget and Finance, Government Affairs, Justice

Sponsors (4)

Other Sponsors (2)

Civil Justice & Claims Subcommittee (H), Information Technology Budget & Policy Subcommittee (H)

Last Action

Indefinitely postponed and withdrawn from consideration (on 05/03/2025)

bill text


bill summary

Loading...

bill summary

Loading...
Loading...