summary
Introduced
12/03/2025
12/03/2025
In Committee
01/22/2026
01/22/2026
Crossed Over
Passed
Dead
Introduced Session
2026 Regular Session
Bill Summary
An act relating to cybersecurity standards and liability; amending s. 282.3185, F.S.; prohibiting local governments from imposing certain cybersecurity standards or processes on vendors; providing an exception; defining the term "vendor"; prohibiting local governments from adopting or enforcing certain cybersecurity standards or processes; creating s. 768.401, F.S.; providing definitions; providing that a local government, a covered entity, or a third-party agent that complies with certain requirements is not liable in connection with a cybersecurity incident under certain circumstances; requiring covered entities and third-party agents to implement revised frameworks, standards, laws, or regulations within a specified time period; providing that a private cause of action is not established; providing that the fact that a specified defendant could have obtained a liability shield or a presumption against liability is not admissible as evidence of negligence, does not constitute negligence per se, and may not be used as evidence of fault; specifying that the defendant in certain actions has a certain burden of proof; providing applicability; providing a directive to the Division of Law Revision; providing an effective date. hb635-01-c1
AI Summary
This bill aims to standardize cybersecurity requirements and limit liability for certain entities in Florida. It prohibits local governments from imposing cybersecurity standards or processes on vendors, defined as businesses contracting with local governments for IT services, that are stricter than those established by the state, unless required by state or federal law or industry-specific regulations. The bill also creates new provisions that provide a presumption against liability for local governments, covered entities (businesses), and third-party agents (entities handling personal information on behalf of businesses) if they implement specific cybersecurity measures, such as adhering to recognized frameworks like the NIST Cybersecurity Framework, implementing disaster recovery plans, and using multi-factor authentication. Covered entities and third-party agents must update their programs to align with revisions in these frameworks or laws within one year to maintain this protection. Importantly, this section does not create a new right for individuals to sue, and the fact that a defendant could have qualified for this liability protection cannot be used as evidence of negligence or fault in a lawsuit. The bill also places the burden of proof on the defendant to demonstrate substantial compliance with these cybersecurity requirements.
Committee Categories
Budget and Finance, Government Affairs, Justice
Sponsors (2)
Other Sponsors (1)
Information Technology Budget & Policy Subcommittee (House)
Last Action
Now in State Affairs Committee (on 02/03/2026)
Official Document
bill text
bill summary
Loading...
bill summary
Loading...
bill summary
| Document Type | Source Location |
|---|---|
| State Bill Page | https://www.flsenate.gov/Session/Bill/2026/635 |
| Analysis - Civil Justice & Claims Subcommittee (Post-Meeting) | https://www.flsenate.gov/Session/Bill/2026/635/Analyses/h0635c.CIV.PDF |
| Analysis - Civil Justice & Claims Subcommittee (Post-Meeting) | https://www.flsenate.gov/Session/Bill/2026/635/Analyses/h0635b.CIV.PDF |
| BillText | https://www.flsenate.gov/Session/Bill/2026/635/BillText/c1/PDF |
| Analysis - Information Technology Budget & Policy Subcommittee (Post-Meeting) | https://www.flsenate.gov/Session/Bill/2026/635/Analyses/h0635a.ITP.PDF |
| https://www.flsenate.gov/Session/Bill/2026/635/Amendment/130573/PDF | |
| Analysis - Information Technology Budget & Policy Subcommittee (Post-Meeting) | https://www.flsenate.gov/Session/Bill/2026/635/Analyses/h0635.ITP.PDF |
| BillText | https://www.flsenate.gov/Session/Bill/2026/635/BillText/Filed/PDF |
Loading...