FL H0635

Local governments are prohibited from imposing cybersecurity standards on vendors that exceed state requirements or from adopting inconsistent standards for contracts entered into or amended on or after July 1, 2026

Local governments that implement policies substantially complying with recognized cybersecurity frameworks, disaster recovery plans, and multi-factor authentication are not liable for cybersecurity incidents

Covered entities and third-party agents handling personal information receive a presumption against liability in class action lawsuits if they maintain cybersecurity programs complying with specified frameworks (NIST, CIS Controls, ISO/IEC 27000, HIPAA, Gramm-Leach-Bliley, etc.)

Entities must update cybersecurity programs within 1 year of any revisions to applicable frameworks, standards, or regulations to retain liability protection

Defendants claiming the liability shield bear the burden of proving substantial compliance, and the law applies retroactively to any putative class action filed before, on, or after the effective date