summary
Introduced
12/02/2025
12/02/2025
In Committee
12/16/2025
12/16/2025
Crossed Over
Passed
Dead
Introduced Session
2026 Regular Session
Bill Summary
An act relating to cybersecurity standards and liability; amending s. 282.3185, F.S.; prohibiting local governments from imposing certain cybersecurity standards or processes on vendors; defining the term “vendor”; prohibiting local governments from adopting or enforcing certain cybersecurity standards or processes; creating s. 768.401, F.S.; defining terms; providing that a local government, a covered entity, or a third-party agent that complies with certain requirements is not liable in connection with a cybersecurity incident under certain circumstances; requiring covered entities and third-party agents to implement revised frameworks, standards, laws, or regulations within a specified timeframe in order to retain protection from liability; providing that a private cause of action is not established; providing that the fact that a specified defendant could have obtained a liability shield or a presumption against liability is not admissible as evidence of negligence, does not constitute negligence per se, and may not be used as evidence of fault; specifying that the defendant in certain actions has a certain burden of proof; providing applicability; providing a directive to the Division of Law Revision; providing an effective date.
AI Summary
This bill aims to standardize cybersecurity requirements and limit liability for certain entities in Florida. It prohibits local governments from imposing cybersecurity standards or processes on vendors, defined as any commercial entity contracting with a local government for information technology services, that are stricter than those established by the government itself, unless required by state or federal law. The bill also creates a new section that provides a presumption against liability for local governments, covered entities (any commercial entity), and third-party agents (entities handling personal information for others) in the event of a cybersecurity incident, provided they implement specific cybersecurity standards or frameworks, such as those from the National Institute of Standards and Technology (NIST) or the Center for Internet Security (CIS), along with disaster recovery plans and multi-factor authentication. Covered entities and third-party agents must update their programs to reflect revisions in these standards or applicable laws within one year to maintain this protection. Importantly, this bill does not create a private right for individuals to sue based on a cybersecurity incident, and the mere possibility of obtaining this liability protection cannot be used as evidence of negligence in court. The defendant in such cases will bear the burden of proving substantial compliance with these cybersecurity requirements.
Committee Categories
Budget and Finance, Justice
Sponsors (1)
Other Sponsors (1)
Governmental Oversight and Accountability (Senate)
Last Action
Now in Appropriations (on 02/11/2026)
Official Document
bill text
bill summary
Loading...
bill summary
Loading...
bill summary
| Document Type | Source Location |
|---|---|
| State Bill Page | https://www.flsenate.gov/Session/Bill/2026/692 |
| Analysis - Judiciary (Post-Meeting) | https://www.flsenate.gov/Session/Bill/2026/692/Analyses/2026s00692.ju.PDF |
| Analysis - Judiciary (Pre-Meeting) | https://www.flsenate.gov/Session/Bill/2026/692/Analyses/2026s00692.pre.ju.PDF |
| BillText | https://www.flsenate.gov/Session/Bill/2026/692/BillText/c1/HTML |
| Analysis - Governmental Oversight and Accountability (Post-Meeting) | https://www.flsenate.gov/Session/Bill/2026/692/Analyses/2026s00692.go.PDF |
| https://www.flsenate.gov/Session/Bill/2026/692/Amendment/434400/HTML | |
| Analysis - Governmental Oversight and Accountability (Pre-Meeting) | https://www.flsenate.gov/Session/Bill/2026/692/Analyses/2026s00692.pre.go.PDF |
| BillText | https://www.flsenate.gov/Session/Bill/2026/692/BillText/Filed/HTML |
Loading...