FL S0658

Counties, municipalities, and other political subdivisions of Florida that substantially comply with s. 282.3185 are shielded from liability in connection with a cybersecurity incident

Commercial entities and third-party agents that handle personal information are not liable for cybersecurity incidents if they substantially comply with Florida's data breach notification law (s. 501.171) and adopt a cybersecurity program aligned with recognized frameworks such as NIST, CIS Critical Security Controls, ISO/IEC 27000, or FedRAMP

Regulated entities may alternatively align their cybersecurity programs with applicable federal laws including HIPAA, the Gramm-Leach-Bliley Act, FISMA 2014, or the HITECH Act to qualify for the liability protection

Entities relying on a combination of frameworks must adopt revised versions within 1 year of publication when two or more of their adopted frameworks are updated, and must comply with PCI DSS if applicable

The bill does not create a private cause of action; failure to implement a compliant cybersecurity program is not evidence of negligence or negligence per se, and covered defendants bear the burden of proving substantial compliance