Bill > S1576

This bill establishes new legal protections for counties, municipalities, and commercial entities in cybersecurity incidents by creating a framework that limits their liability if they meet certain cybersecurity standards. The bill defines key terms like "covered entity" (which includes businesses and organizations) and "cybersecurity standards or frameworks" (referencing specific guidelines from NIST, ISO, and other recognized cybersecurity frameworks). Under the bill, counties, municipalities, and covered entities can avoid liability in class action lawsuits if they substantially comply with existing data protection laws, adopt cybersecurity policies aligned with recognized frameworks, maintain disaster recovery plans, and implement multi-factor authentication. The bill explicitly states that failure to implement a perfect cybersecurity program cannot be used as evidence of negligence, and in any legal action, the defendant must prove substantial compliance with the standards. Importantly, the bill does not create a new private right of action, meaning individuals cannot sue solely based on these provisions. The law requires entities to update their cybersecurity programs within one year of any revisions to relevant frameworks or regulations to maintain their liability protection, and it applies to class action lawsuits filed on or after its effective date.

https://www.flsenate.gov/Session/Bill/2025/1576