Loading chat...
FL S1576
Bill
AI Summary
- Counties, municipalities, covered entities, and third-party agents that substantially align their cybersecurity programs with recognized frameworks (such as NIST, CIS Critical Security Controls, ISO/IEC 27000, HITRUST CSF, or SOC 2) are shielded from liability arising from cybersecurity incidents
- Local governments can also qualify for liability protection by applying to the Local Government Cybersecurity Grant Program and sharing telemetry data with the state's cybersecurity operations center
- Covered entities and third-party agents handling personal information are protected from class action lawsuits if they substantially comply with Florida's data breach notification requirements (s. 501.171), implement disaster recovery plans, and use multi-factor authentication
- Entities regulated under federal laws such as HIPAA, Gramm-Leach-Bliley Act, FISMA, or HITECH Act can demonstrate compliance by aligning with those regulatory requirements instead, and must update their programs within 1 year of any framework or regulatory revisions
- Failure to implement a compliant cybersecurity program does not constitute evidence of negligence or negligence per se, no private cause of action is created, and the burden of proof to establish substantial compliance rests on the defendant
Legislative Description
Cybersecurity Incident Liability
Last Action
Died in Judiciary
6/16/2025
Full Bill Text
No bill text available