The Florida Senate
BILL ANALYSIS AND FISCAL IMPACT STATEMENT
(This document is based on the provisions contained in the legislation as of the latest date listed below.)
Prepared By: The Professional Staff of the Committee on Governmental Oversight and Accountability
BILL: SB 1708
INTRODUCER: Senator DiCeglie
SUBJECT: Cybersecurity
DATE: March 28, 2023
ANALYST STAFF DIRECTOR REFERENCE ACTION
1. Harmsen McVaney GO Pre-meeting
2. AEG
3. AP
4. RC
I. Summary:
SB 1708, which may be cited as the “Florida Cyber Protection Act,” generally removes the
Department of Management Services’ (DMS) oversight from the functions of the Florida Digital
Service (FLDS). However, the FLDS is still “created within the DMS.” The bill grants the FLDS
sole authority to perform several IT and cybersecurity oversight functions previously attributed
to “the DMS, acting through the FLDS.” Additionally, but not exhaustively, the bill grants the
FLDS:
Authority to participate in state agency IT procurements valued at $5 million or more
(compared to $10 million or more in current law);
Oversight and management duties of the state data center, and full access to its infrastructure;
Authority to establish an operations committee that will develop collaborative efforts
between agencies and other governmental entities relating to cybersecurity issues;
The right to oversee any state agency cybersecurity audit that is performed by a private
vendor;
The duty to receive notifications of cybersecurity or ransomware incidents of any severity
level that occur at a state agency or local government;
The ability to respond to any state agency cybersecurity incident;
Authority to brief members of a legislative committee or subcommittee that is responsible for
cybersecurity issues; and
Responsibility to draft the state agency strategic cybersecurity plan.
The state chief information officer (CIO), who serves as head of the FLDS, will now be
appointed by the Governor and subject to Senate confirmation. The CIO, rather than the DMS
Secretary, will now serve as executive director of the Florida Cybersecurity Advisory Council.
REVISED: BILL: SB 1708 Page 2
The bill creates the State Technology Advancement Council within the Executive Office of the
Governor which will, among other purposes, assist and advise state agencies, the Legislature,
Florida College System institutions, and state universities; improve state technology project
efficiency, and support research on and development of innovative technologies. The members
of this council must sign an acknowledgement that they will maintain the confidentiality of, and
will not disclose in an improper manner, any information not available to the general public and
gained by reason of his or her official position.
The bill creates a presumption against liability for local governments and private businesses that
adhere to specific cybersecurity protocol, and update their protocol according to provisions
adopted in the bill.
The bill does not have a fiscal impact on state or local government revenues or local government
expenditures. The bill may increase state expenditures.
The bill takes effect on July 1, 2023.
II. Present Situation:
A discussion of the present situation for each section of the bill is included in the “Effect of
Proposed Changes” section of this bill analysis.
III. Effect of Proposed Changes:
State Information Technology Management
Present Situation
The Department of Management Services (DMS) oversees information technology (IT)
governance and security for the executive branch of the State government.
1
The Florida Digital
Service (FLDS) within the DMS was established by the Legislature in 2020
2
to replace the
Division of State Technology. The FLDS works subordinate to the DMS to implement policies
for IT and agency cybersecurity, and to fully support Florida’s cloud first policy.
3
The FLDS was created to modernize state government technology and information services.
4
Accordingly, the DMS, through the FLDS, has the following powers, duties, and functions:
Develop IT policy for the management of the state’s IT resources;
Develop an enterprise architecture that facilitates interoperability between agencies and
supports the cloud-first policy;
Establish IT project management and oversight standards for state agencies;
1
Section 282.0051, F.S.
2
Ch. 2020-161, Laws of Fla.
3
Section 282.0051(1), F.S.
4
Section 282.0051(1), F.S. BILL: SB 1708 Page 3
Oversee state agency IT projects that cost $10 million or more and that are funded in the
General Appropriations Act or any other law;
5
and
Standardize and consolidate IT services that support interoperability, Florida’s cloud first
policy, and other common business functions and operations.
The head of FLDS is appointed by the Secretary of DMS and serves as the state chief
information officer (CIO).
6
The CIO must have at least 5 years of experience in the development
of IT system strategic planning and IT policy, and preferably have leadership-level experience in
the design, development, and deployment of interoperable software and data solutions.
7
Effect of the Bill
Section 3 transfers the powers, duties, and functions enumerated in s. 282.0051, F.S., from the
DMS to the FLDS, but the FLDS will maintain its organizational position within the DMS. The
bill also removes the DMS Secretary’s authority to appoint the FLDS CIO, and gives that
authority to the Governor, subject to confirmation by the Senate.
The bill broadens the FLDS’ oversight of state agency IT projects to cover those that cost $5
million or more; prior oversight was limited to those projects of $10 million or more. It does not
change the dollar threshold for projects conducted by the Department of Financial Service,
Department of Legal Affairs, or Department of Agriculture and Consumer Services.
The bill creates an operations committee within the FLDS that will develop collaborative efforts
regarding cybersecurity issues between agencies, including agency responses to cybersecurity
incidents and interoperability of agency projects. The CIO will serve as the committee’s
executive director, and the committee’s membership will consist of:
The Attorney General, or his or her designee;
The Secretary of State, or his or her designee;
The executive director of the Department of Law Enforcement, or his or her designee;
A representative of each state agency;
A representative of the Florida State Guard; and
A representative of the Florida National Guard.
This section makes conforming changes throughout to adopt the transition from the DMS’
authority to the FLDS’ authority.
State Data Center
Present Situation
In 2022, legislation moved the State Data Center (SDC) from FLDS to DMS, which now
operates and maintains the SDC.
8
The SDC provides data center services that comply with
5
The FLDS provides project oversight on IT projects that have a total cost of $20 million or more for the Department of
Financial Services, the Department of Legal Affairs, and the Department of Agriculture and Consumer Services. Section
282.0051(1)(m), F.S.
6
Section 282.0051(2)(a), F.S.
7
Id.
8
Ch. 2022-153, Laws of Fla. BILL: SB 1708 Page 4
applicable state and federal laws, regulations, and policies, including all applicable security,
privacy, and auditing requirements.
9
The standards used by the SDC are created through the
Information Technology Infrastructure Library (ITIL); the International Organization for
Standardization; and the International Electrotechnical Commission (ISO/IEC) 27,000; and the
Project Management Institute’s (PMI) best practices.
Northwest Regional Data Center
The Northwest Regional Data Center (NWRDC) is the leading computing provider for
educational and governmental communities in Florida. In 2022, NWRDC (located at Florida
State University) was declared an official state data center, and the current SDC resources,
contracts, and assets were transferred to NWRDC, through contract.
10
This allows for NWRDC
to provide services from the SDC facility. The NWRDC offers services and 24/7 management
support for various IT support solutions, including: public/private cloud services, backup and
recovery, storage, managed services, Tallahassee fiber loop, Florida LambdaRail, MyFloridaNet,
Florida Power and Light Fibernet, CenturyLink Connectivity, security services, multi-site
colocation, and disaster recovery.
11
Effect of the Bill
Section 4 amends s. 282.201, F.S., to transfer operational management and oversight of the state
data center from the DMS to the FLDS. Although the state data center will still be an entity of
the DMS, the FLDS will now oversee it and have full access to the state data center
infrastructure. As an additional function of this transfer, the bill grants the CIO authority to
assume responsibility for the Northwest Regional Data Center contract, and states that
“notwithstanding the terms of the contract” the Northwest Regional Data Center must provide
the FLDS with access to information regarding its operation of the state data center.
This section makes conforming changes throughout the section to adopt the transition from the
DMS’ authority to the FLDS’ authority.
Section 10 makes a conforming change to s. 1004.649, F.S., to require the Northwest Regional
Data Center to submit agency customer invoices to the FLDS, rather than to the DMS.
9
Section 282.201(1), F.S.
10
Section 282.201(5), F.S.
11
NWRDC: Florida’s Cloud Broker, About Northwest Regional Data Center, https://www.nwrdc.fsu.edu/about (last visited
Mar. 27, 2023). BILL: SB 1708 Page 5
State Cybersecurity Act
Present Situation
Agency Cybersecurity Standards
The State Cybersecurity Act
12
requires the DMS and the heads of state agencies to meet certain
requirements to enhance state agencies’ cybersecurity.
13
Specifically, the DMS, acting through
the FLDS, must:
14
Assess state agency cybersecurity risks and determine appropriate security measures
consistent with generally accepted best practices for cybersecurity.
Adopt rules to mitigate risk, support a security governance framework, and safeguard state
agency digital assets, data, information, and IT resources
15
to ensure availability,
confidentiality, and integrity.
Designate a chief information security officer (CISO) who must develop, operate, and
oversee state technology systems’ cybersecurity. The CISO must be notified of all confirmed
or suspected incidents or threats of state agency IT resources and must report such
information to the CIO and the Governor.
Develop and annually update a statewide cybersecurity strategic plan that includes security
goals and objectives for cybersecurity, including the identification and mitigation of risk,
proactive protections against threats, tactical risk detection, threat reporting, and response
and recovery protocols for cyber incidents.
Develop a cybersecurity governance framework and publish it for state agency use.
Assist state agencies in complying with the State Cybersecurity Act.
Train state agency information security managers and computer security incident response
team members, in collaboration with the Florida Department of Law Enforcement (FDLE)
Cybercrime Office, on issues relating to cybersecurity, including cybersecurity threats,
trends, and best practices.
Provide cybersecurity training to all state agency technology professionals that develop,
assess, and document competencies by role and skill level. The training may be provided in
collaboration with the Cybercrime Office, a private sector entity, or an institution of the state
university system.
Annually review state agencies’ strategic and operational cybersecurity plans.
Track, in coordination with agency inspectors general, state agencies’ implementation of
remediation plans.
Operate and maintain a Cybersecurity Operations Center led by the CISO to serve as a
clearinghouse for threat information and to coordinate with the FDLE to support state agency
response to cybersecurity incidents.
Lead an Emergency Support Function under the state comprehensive emergency
management plan.
12
Section 282.318, F.S.
13
“Cybersecurity” means the protection afforded to an automated information system in order to attain the applicable
objectives of preserving the confidentiality, integrity, and availability of data, information, and information technology
resources. Section 282.0041(8), F.S.
14
Section 282.318(3), F.S.
15
“Information technology resources” means data processing hardware and software and services, communications, supplies,
personnel, facility resources, maintenance, and training. Section 282.0041(22), F.S. BILL: SB 1708 Page 6
The State Cybersecurity Act requires the head of each state agency to designate an information
security manager to administer the cybersecurity program of the state agency.
16
In addition,
agency heads must:
Establish an agency cybersecurity incident response team, which must report any confirmed
or suspected cybersecurity incidents to the CISO.
Submit an annual strategic and operational cybersecurity plan to the DMS.
Conduct a triennial comprehensive risk assessment to determine the security threats to the
data, information, and IT resources of the state agency.
Develop and update internal policies and procedures, including procedures for reporting
cybersecurity incidents and breaches to the FLDS and the Cybercrime Office.
Implement managerial, operational, and technical safeguards and risk assessment
remediation plans recommended by the DMS to address identified risks to the data,
information, and IT resources of the agency.
Ensure periodic internal audits and evaluations of the agency’s cybersecurity program.
Ensure that cybersecurity contract requirements of IT and IT resources and services meet or
exceed applicable state and federal laws, regulations, and standards for cybersecurity,
including the NIST cybersecurity framework.
Provide cybersecurity awareness training to all state agency employees concerning
cybersecurity risks and the responsibility of employees to comply with policies, standards,
guidelines, and operating procedures adopted by the state agency to reduce those risks. The
training may be provided in collaboration with the Cybercrime Office, a private sector entity,
or an institution of the state university system.
Develop a process, consistent with FLDS rules and guidelines, to detect, report, and respond
to threats, breaches, or cybersecurity incidents.
Specifically, state agencies and local governments in Florida, must report all ransomware
incidents and any cybersecurity incidents at severity levels three, four, and five incident as soon
as possible, but no later than 48 hours after discovery of a cybersecurity incident and no later
than 12 hours after discovery of a ransomware incident, to the Cybersecurity Operations
Center.
17
The Cybersecurity Operations Center shall notify the President of the Senate and the
Speaker of the House of Representatives of any severity level three, four, or five as soon as
possible, but no later than 12 hours after receiving the incident report from the state agency or
local government.
18
For state agency and local government incidents at severity levels one and
two, they must report these to the Cybersecurity Operations Center and the Cybercrime Office at
FDLE as soon as possible.
19
In addition, the Cybersecurity Operations Center must provide consolidated incident reports to
the President of the Senate, Speaker of the House of Representatives, and the Advisory Council
on a quarterly basis.
20
16
Section 282.318(4)(a), F.S.
17
Sections 282.318(3)(c)9.c, and 282.3185(5)(b)1., F.S.
18
Sections 282.318(3)(c)9.c.(II), and 282.3185(5)(b)2. F.S.
19
Sections 282.318(3)(c)9.d., 282.3185(5)(c), F.S.
20
Sections 282.318(3)(c)9.e, and 282.3185(5)(d), F.S. BILL: SB 1708 Page 7
State agencies and local governments must also submit an after-action report to FLDS within 1
week of the remediation of a cybersecurity or ransomware incident.
21
The report must summarize
the incident, state the resolution, and provide any insights from the incident.
Local Government Cybersecurity Standards
Local governments must adopt cybersecurity standards that safeguard its data, information,
technology, and IT resources to ensure its availability, confidentiality, and integrity.
22
The local
government’s standards must be consistent with generally accepted cybersecurity best practices,
including the NIST cybersecurity framework. Once it adopts standards, the local government
must notify the FLDS as soon as possible.
23
Public Record and Public Meetings Exemption for Specific Cybersecurity Records Held by
Agencies
The State Cybersecurity Act makes confidential and exempt from public records copying and
inspection requirements the portions of risk assessments, evaluations, external audits, and other
agency cybersecurity program reports that are held by an agency, if the disclosure would
facilitate unauthorized access to, modification, disclosure, or destruction of data or IT
resources.
24
However, this information must be shared with the Auditor General, DLE
Cybercrime Office, FLDS, and the Chief Inspector General. An agency may share its
confidential and exempt documents with a local government, another agency, or a federal agency
if given for a cybersecurity purpose, or in furtherance of the agency’s official duties.
25
The State Cybersecurity act also exempts portions of any public meeting that would reveal
records that it makes confidential and exempt.
26
Effect of the Bill
Oversight of Agency Cybersecurity
Section 5 amends s. 282.318, F.S., to transfer, from the DMS to the FLDS, the responsibility to
establish standards and processes for the assessment of agency cybersecurity risks and to
determine appropriate security measures in turn. Additionally, the bill gives the FLDS authority
to respond to any state agency cybersecurity incident. This section transfers associated
rulemaking authority from the DMS to the FLDS, which lacks general rulemaking authority.
However, the FLDS may still be able to effectuate rulemaking through the DMS’ general grant
of authority, as it is still administratively housed under the DMS.
This section also requires FLDS’ oversight of any private sector vendor’s agency cybersecurity
audit to ensure that the audit meets applicable standards, processes, and timelines.
21
Sections 282.318(4)(k), and 282.3185(6), F.S. See also, ch. 2022-220, Laws of Fla.
22
Section 282.3185, F.S.
23
Section 282.3185(4)(d), F.S.
24
Section 282.318(5), F.S.
25
Section 282.318(7), F.S.
26
Section 282.318(6), F.S. BILL: SB 1708 Page 8
Cybersecurity Incident Reporting Requirements
Sections 5 and 6 broaden the FLDS’ role in reporting of cybersecurity incidents at agencies and
local governments. The bill:
Grants the FLDS authority to respond to any state agency cybersecurity incident;
Requires an agency and local government to report any level cybersecurity incident to the
FLDS within 4 hours of discovery of the incident; and
Requires an agency and local governments to report a ransomware incident to the FLDS
within 2 hours of its discovery.
The FLDS must notify the Governor, Senate President, and Speaker of the House of
Representatives, in a secure environment, of an agency’s or local government’s failure to timely
report a cybersecurity incident.
The bill amends an agency’s or local government’s duty to report cybersecurity incidents to the
DLE’s Cybercrime Office and the Cybersecurity Operations Center, whereas previously, level 1
or 2 incidents were required to be reported as soon as possible, now they must report within the
timeframes listed above.
Section 9 amends s. 786.401, F.s., to provide that a county or municipality that substantially
complies with incident notification requirements in s. 282.3185, F.S., has a presumption against
liability for the cybersecurity incident. It further states that a county’s or municipality’s failure to
substantially implement a cybersecurity program that complies with s. 282.3185, F.S., does not
constitute evidence of negligence or negligence per se.
It lastly provides that s. 786.401, F.S., does not establish a private cause of action.
Cybersecurity Briefings
The FLDS is also vested with the duty to provide cybersecurity briefings to legislative members
of committees or subcommittees that are responsible for cybersecurity policy.
The bill also allows legislative committees or subcommittees that are responsible for
cybersecurity-related policy to hold closed meetings for the purpose of briefing the body on
records that are confidential and exempt pursuant to s. 282.318(5), F.S.
This section makes conforming changes throughout the section to adopt the transition from the
DMS’ authority to the FLDS’ authority.
Florida Cybersecurity Advisory Council
Present Situation
The Florida Cybersecurity Advisory Council (Advisory Council) within the DMS
27
protects IT
resources from cyber threats and incidents.
28
The Advisory Council’s membership must consist of:
27
Section 282.319(1), F.S.
28
Section 282.319(2), F.S. BILL: SB 1708 Page 9
The Lieutenant Governor or his or her designee.
The state chief information officer.
The state chief information security officer.
The director of the Division of Emergency Management or his or her designee.
A representative of the computer crime center of the Department of Law Enforcement,
appointed by the executive director of the Department of Law Enforcement.
A representative of the Florida Fusion Center of the Department of Law Enforcement,
appointed by the executive director of the Department of Law Enforcement.
The Chief Inspector General.
A representative from the Public Service Commission.
Up to two representatives from institutions of higher education located in this state,
appointed by the Governor.
Three representatives from critical infrastructure sectors, one of whom must be from a water
treatment facility, appointed by the Governor.
Four representatives of the private sector with senior level experience in cybersecurity or
software engineering from within the finance, energy, health care, and transportation sectors,
appointed by the Governor.
Two representatives with expertise on emerging technology, with one appointed by the
President of the Senate and one appointed by the Speaker of the House of Representatives.
The Advisory Council must assist the FLDS with the implementation of best cybersecurity
practices, taking into consideration the final recommendations of the Florida Cybersecurity Task
Force – a task force created to review and assess the state’s cybersecurity infrastructure,
governance, and operations.
29
The Advisory Council meets at least quarterly to:
30
Review existing state agency cybersecurity policies.
Assess ongoing risks to state agency IT.
Recommend a reporting and information sharing system to notify state agencies of new risks.
Recommend data breach simulation exercises.
Develop cybersecurity best practice recommendations for state agencies, including
continuous risk monitoring, password management, and protecting data in legacy and new
systems.
Examine inconsistencies between state and federal law regarding cybersecurity.
Beginning June 30, 2022, and each June 30 thereafter, the Advisory Council must submit
cybersecurity recommendations to the Legislature.
31
Effect of the Bill
Section 7 amends s. 282.319, F.S., to amend the membership requirements of the Advisory
Council; it removes the requirement that one of the representatives from critical infrastructure
29
Section 282.319(3), F.S. The Cybersecurity Task Force is no longer active. See, Florida DMS, Cybersecurity Task Force
Overview, https://www.dms.myflorida.com/other_programs/cybersecurity_advisory_council/cybersecurity_task_force (last
visited Mar. 27, 2023).
30
Section 282.319(9), F.S.
31
Section 282.319(11), F.S. BILL: SB 1708 Page 10
sectors be from a water treatment facility, and designates the CIO, rather than DMS’ Secretary,
as the Advisory Council’s nonvoting executive director.
The bill states that legislative members of committees or subcommittees that are responsible for
cybersecurity policy must be invited to attend Advisory Council meetings. It further states that
such meetings of the Advisory Council may not be construed as a meeting of the legislative
committee or subcommittee, or as a prearranged gathering between 2 or more legislative
members for the purpose of agreeing upon formal legislative action that will be taken at a
subsequent time.
State Technology Advancement Council
Effect of the Bill
Section 8 creates s. 282.3195, F.S., which creates the State Technology Advancement Council
(Advancement Council) within the Executive Office of the Governor. The Advancement Council
must meet at least quarterly to:
Assist state agencies and advice the Legislature on innovative technologies;
Improve state technology project timelines;
Develop efficient state technology processes;
Assist with the creation of development and testing environments that allow state entities to
proof technology concepts before procuring or developing them;
Assist the Florida College System institutions and state universities with technology transfer
processes; and
Support research on and development of innovative technologies.
Beginning June 1, 2024, and annually thereafter, the Advancement Council must submit a report
of its activities and recommendations to the Governor, Senate Presidents, and Speaker of the
House of Representatives.
The membership of the Advancement Council consists of the following:
The CIO, or his or her designee, who shall serve as the Advancement Council’s ex officio,
non-voting, executive director;
A person with senior-level experience in cloud computing technology;
An engineer;
A person with senior-level experience in cloud computing technology;
A data scientist; and
Other persons with relevant experience, as determined by the Governor.
These members will serve staggered, 4-year terms, with the initial appointments of two members
for 2 years to allow for the ultimate implementation of staggered terms. Their service on the
Advancement Council is not subject to compensation, but members are entitled to per diem and
travel expenses reimbursement pursuant to s. 112.061, F.S.
The bill contemplates that Advancement Council members will be given access to risk
assessments, evaluations, external audits, and other agency cybersecurity program reports made
confidential and exempt by s. 282.318(5), F.S. The bill states that members of the Advancement BILL: SB 1708 Page 11
Council shall maintain the confidential and exempt status of information it receives in
performance of their duties and responsibilities with the Advancement Council. Additionally,
members cannot disclose or use any information that is unavailable to the general public and
gained by reason of their official position for personal gain or benefit, or for the gain or benefit
of any other person or business entity. Advancement Council members must sign an agreement
acknowledging these provisions.
Limitation on Liability
Present Situation
Tort Liability and Negligence
A tort is a civil legal action to recover damages for a loss, injury, or death due to the conduct of
another. Some have characterized a tort as a civil wrong, other than a claim for breach of
contract, in which a remedy is provided through damages.
32
When a plaintiff files a tort claim, he
or she alleges that the defendant’s “negligence” caused the injury. Negligence is defined as the
failure to use reasonable care. It means the care that a reasonably careful person would use under
similar circumstances. According to the Florida Standard Jury Instructions, negligence means
“doing something that a reasonably careful person would not do” in a similar situation or “failing
to do something that a reasonably careful person would do” in a similar situation.
33
When a plaintiff seeks to recover damages for a personal injury and alleges that the injury was
caused by the defendant’s negligence, the plaintiff bears the legal burden of proving that the
defendant’s alleged action was a breach of the duty that the defendant owed to the plaintiff.
34
Negligence Pleadings
To establish a claim for relief and initiate a negligence lawsuit, a plaintiff must file a
“complaint.” The complaint must state a cause of action and contain: a short and plain statement
establishing the court’s jurisdiction, a short and plain statement of the facts showing why the
plaintiff is entitled to relief, and a demand for judgment for relief that the plaintiff deems himself
or herself entitled. The defendant responds with an “answer,” and provides in short and plain
terms the defenses to each claim asserted, admitting or denying the averments in response.
35
Under the Florida Rules of Civil Procedure, there is a limited group of allegations that must be
pled with “particularity.” These allegations include allegations of fraud, mistake, and a denial of
performance or occurrence.
36
Four Elements of a Negligence Claim
To establish liability, the plaintiff must prove four elements:
32
BLACK’S LAW DICTIONARY (11th ed. 2019).
33
Fla. Std. Jury Instr. Civil 401.3, Negligence.
34
Florida is a comparative negligence jurisdiction as provided in s. 768.81(2), F.S. In lay terms, if a plaintiff and defendant
are both at fault, a plaintiff may still recover damages, but those damages are reduced proportionately by the degree that the
plaintiff’s negligence caused the injury.
35
Fla. R. Civ. P. 1.110.
36
Fla. R. Civ. P. 1.120(b) and (c). BILL: SB 1708 Page 12
Duty – That the defendant owed a duty, or obligation, of care to the plaintiff;
Breach – That the defendant breached that duty by not conforming to the standard required;
Causation – That the breach of the duty was the legal cause of the plaintiff’s injury; and
Damages – That the plaintiff suffered actual harm or loss.
Burden or Standard of Proof
A “burden of proof” is the obligation a party bears to prove a material fact. The “standard of
proof” is the level or degree to which an issue must be proved.
37
The plaintiff carries the burden
of proving, by a specific legal standard, that the defendant breached the duty that was owed to
the plaintiff that resulted in the injury. In civil cases, two standards of proof generally apply:
The “greater weight of the evidence” standard, which applies most often in civil cases, or
The “clear and convincing evidence” standard, which applies less often, and is a higher
standard of proof.
38
However, there are certain statutory and common law presumptions
39
that may shift the burden
of proof from the party asserting the material fact in issue to the party defending against such
fact.
40
These presumptions remain in effect following the introduction of evidence rebutting the
presumption, and the factfinder must decide if such evidence is strong enough to overcome the
presumption.
41
A presumption is a legal inference that can be made with knowing certain facts.
Most presumptions are able to be rebutted, if proven to be false or thrown into sufficient doubt
by the evidence.
42
Greater Weight of the Evidence
The greater weight of the evidence standard of proof means “the more persuasive and convincing
force and effect of the entire evidence in the case.”
43
Some people explain the “greater weight of
the evidence” concept to mean that, if each party’s evidence is placed on a balance scale, the side
that dips down, even by the smallest amount, has met the burden of proof by the greater weight
of the evidence.
Clear and Convincing
The clear and convincing standard, a higher standard of proof than a preponderance of the
evidence, requires that the evidence be credible and the facts which the witness testifies to must
be remembered distinctly. The witness’s testimony “must be precise and explicit and the
witnesses must be lacking in confusion as to the facts in issue.” The evidence must be so strong
that it guides the trier of fact to a firm conviction, to which there is no hesitation, that the
allegations are true.
44
37
5 Fla. Prac. Civil Practice s. 17.1, (2023 ed.)
38
Id.
39
These presumptions tend to be social policy expressions, such as the presumption that all people are sane or that all
children born in wedlock are legitimate. 5 Florida Practice Series s. 16:1.
40
5 Florida Practice Series s. 16:1.
41
Id.
42
Legal Information Institute, Presumption, https://www.law.cornell.edu/wex/presumption (last visited Mar. 16, 2023).
43
Fla. Std. Jury Instr. 401.3, Greater Weight of the Evidence.
44
Slomowitz v. Walker, 429 So. 2d 797, 800 (Fla. 4
th
DCA 1983). BILL: SB 1708 Page 13
Standards of Care and Degrees of Negligence
Courts have developed general definitions for the degrees of negligence.
Slight Negligence
The failure to exercise great care.
45
Ordinary
Negligence or
Simple Negligence
The conduct that a reasonable and prudent person would know might
result in injury to others.
46
Gross Negligence A course of conduct which a reasonable and prudent person knows
would probably and most likely result in injury to another.
47
To prove
gross negligence, a plaintiff must show: circumstances that, when
taken together, create a clear and present danger; an awareness that the
danger exists; and a conscious, voluntary act or omission to act that
will likely result in an injury.
Florida Information Protection Act (FIPA)
48
FIPA is a data security measure that requires governmental entities, specific business entities,
and any third-party agent that holds or processes personal information on behalf of these entities
to take reasonable measures to protect a consumer’s personal information. Additionally, FIPA
requires covered business entities
49
that are subject to data breaches to attempt to remediate the
breach by notification to affected consumers in Florida, and in cases where more than 500
individual’s information was breached—by additional notification to the Department of Legal
Affairs (DLA).
50
If the breach affected more than 1,000 individuals in Florida, the entity must
also notify credit reporting agencies, with certain exceptions.
51
FIPA defines “personal information” as:
Online account information, such as security questions and answers, email addresses, and
passwords; and
An individual’s first name or first initial and last name, in combination with any one or more
of the following information regarding him or her:
o A social security number;
45
See Faircloth v. Hill, 85 So. 2d 870 (Fla. 1956); see also Holland America Cruises, Inc. v. Underwood, 470 So. 2d 19 (Fla.
2d DCA 1985); Werndli v. Greyhound Corp., 365 So. 2d 177 (Fla. 2d DCA 1978); 6 Florida Practice Series s. 1.2.
46
See De Wald v. Quarnstrom, 60 So. 2d 919 (Fla. 1952); see also Clements v. Deeb, 88 So. 2d 505 (Fla. 1956); 6 Florida
Practice Series s. 1.2.
47
See Clements, 88 So. 2d 505; 6 Florida Practice Series s. 1.2.
48
Section 501.171, F.S.; Chapter 2014-189, Laws of Fla. (FIPA expanded and updated Florida’s data breach disclosure laws
contained in s. 817.5681, F.S. (2013), which was adopted in 2005 and repealed in 2014).
49
A “covered entity” is a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other
commercial entity that acquires, maintains, stores, or uses personal information. Section 501.171(1)(b), F.S.
50
Florida Office of the Attorney General (OAG), How to Protect Yourself: Data Security,
http://myfloridalegal.com/pages.nsf/Main/53D4216591361BCD85257F77004BE16C (last visited Mar. 27, 2023). Section
501.171(3)-(4), F.S.
51
Section 501.171(3)-(6), F.S. BILL: SB 1708 Page 14
o A driver license or similar identity verification number issued on a government
document;
o A financial account number or credit or debit card number, in combination with any
required security code, access code, or password that is necessary to permit access to an
individual’s financial account;
o Medical history information or health insurance identification numbers; or
o An individual’s health insurance identification numbers.
52
Personal information does not include information:
About an individual that a federal, state, or local governmental entity has made publicly
available; or
That is encrypted, secured, or modified to remove elements that personally identify an
individual or that otherwise renders the information unusable.
53
FIPA does not provide a private cause of action, but authorizes the DLA to file charges against
covered entities under Florida’s Unfair and Deceptive Trade Practices Act (FDUTPA).
54
In addition to the remedies provided for under FDUTPA, a covered entity that fails to notify the
DLA, or an individual whose personal information was accessed, of the data breach is liable for a
civil penalty of $1,000 per day for the first 30 days of any violation; $50,000 for each subsequent
30-day period of violation; and up to $500,000 for any violation that continues more than 180
days. These civil penalties apply per breach, not per individual affected by the breach.
Cybersecurity Standards
Local governments are required to adopt cybersecurity standards that safeguard the local
government’s data, information technology, and information technology resources to ensure
availability, confidentiality, and integrity.
55
The standards must be consistent with generally
accepted best practices for cybersecurity, including the NIST cybersecurity framework.
56
Once it
adopts the standards, the local government must notify FLDS as soon as possible.
57
The National Institute for Standards and Technology (NIST) is a non-regulatory federal agency
housed within the U.S. Department of Commerce. NIST is charged with providing a prioritized,
flexible, repeatable, performance-based, and cost-effective framework that helps owners and
operators of critical infrastructure identify, assess, and manage cyber risk. While the framework
was developed with critical infrastructure in mind, it can be used by organizations in any sector
of the economy or society.
58
The framework is designed to complement an organization’s own
approach to cybersecurity risk management. As such, there are a variety of ways to use the
framework and the decision about how to apply it is left to the implementing organization. For
52
Section 501.171(1)(g)1., F.S.; OAG supra note 41.
53
Section 501.171(1)(g)2., F.S.
54
Section 501.171(9), (10), F.S.; OAG supra note 41.
55
Section 282.3185(4)(a), F.S.
56
Id.
57
Section 282.3185(4)(d), F.S.
58
National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity,
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (last visited March 27, 2023). BILL: SB 1708 Page 15
example, an organization may use its current processes and consider the framework to identify
opportunities to strengthen its cybersecurity risk management. The framework, overall, provides
an outline of best practices that helps organizations decide where to focus resources for
cybersecurity protection.
59
Other cybersecurity standards include:
NIST special publication 800-171 Provides recommended requirements for protecting the
confidentiality of controlled unclassified information. If a
manufacturer is part of a Department of Defense, General
Services Administration, NASA, or other state or federal
agency supply chain then they must comply with these
security requirements.
60
NIST special publications 800-53
and 800-53A
A category of security and privacy controls. Covers the steps
in the Risk Management Framework that address security
controls for federal information systems.
61
The Federal Risk and
Authorization Management
Program security assessment
framework
Organization established by the General Services
Administration (a Federal Government Program) that provides
U.S. federal agencies, state agencies, and their vendors with a
standardized set of best practices to assess, adopt, and monitor
the use of cloud-based technology services under the Federal
Information Security Management Act (FISMA).
62
CIS Critical Security Controls
The Center for Internet Security Critical Security Controls
(CIS) are a prescriptive and simplified set of best practices for
strengthening cybersecurity for different organizations. CIS
was created in response to extreme data losses experienced by
organizations in the U.S. defense industrial base.
63
The International Organization
for Standardization/International
Electrotechnical Commission
27000 – series family of standards
ISO/IEC 27001 (ISO) enables organizations of all sectors to
manage security of financial information, intellectual property,
employee data and information entrusted by third parties. ISO
has auditors and is an international standard. There are 804
technical committees and subcommittees concerned with such
standards of development.
64
59
Id.
60
NIST, What is the NIST SP 800-171 and Who Needs to Follow It?, https://www.nist.gov/blogs/manufacturing-innovation-
blog/what-nist-sp-800-171-and-who-needs-follow-it-0#:~:text=NIST%20SP%20800-
171%20is%20a%20NIST%20Special%20Publication,protecting%20the%20confidentiality%20of%20controlled%20unclassi
fied%20information%20%28CUI%29 (last visited Mar. 27, 2023).
61
NIST, Selecting Security and Privacy Controls: Choosing the Right Approach, https://www.nist.gov/blogs/cybersecurity-
insights/selecting-security-and-privacy-controls-choosing-right-approach (last visited Mar. 27, 2023).
62
Reciprocity, How State and Local Agencies Can Use FedRAMP, https://reciprocity.com/how-state-and-local-agencies-can-
use-
fedramp/#:~:text=The%20Federal%20Risk%20and%20Authorization%20Management%20Program%20%28FedRAMP%29
,cloud%20products%20offered%20by%20cloud%20service%20providers%20%28CSPs%29 (last visited Mar. 27, 2023).
63
CIS Security, CIS Critical Security Controls, https://www.cisecurity.org/controls (last visited Mar. 27, 2023).
64
ITGovernance, ISO 27001, The International Security Standard,
https://www.itgovernanceusa.com/iso27001#:~:text=ISO%2027001%20is%20a%20globally%20recognized%20information
%20security,trusted%20benchmark.%20Protect%20your%20data%2C%20wherever%20it%20lives (last visited Mar. 27,
2023). BILL: SB 1708 Page 16
Effect of the Bill
Section 9 establishes a presumption against liability for private businesses
65
that are involved in
a cybersecurity incident, if the entity substantially complies with the data breach notice
requirements of s. 501.171, F.S., if applicable, and have:
Adopted a cybersecurity program that substantially aligns with the current version of the:
o NIST Framework for Improving Critical Infrastructure Cybersecurity;
o NIST special publication 800-53 and 800053A;
o Federal Risk and Authorization management Program security assessment framework;
o CIS Critical Security Controls; or
o International Organization for Standardization/International Electrotechnical Commission
27000-series family of standards; or
Substantially complied with the following laws, if regulated by state or Federal governments,
or is otherwise subject to the requirements of any of the following laws and regulations:
o Security requirements of HIPPA;
o Title V of the Gramm-Leach-Bliley Act of 1999;
o Federal Information Security Modernization Act of 2014; or
o Health Information Technology for Economic and Clinical Health Act.
A commercial entity that substantially complies with a combination of industry-recognized
cybersecurity frameworks or standards, including the payment card industry data security
standard, is provided a presumption against liability for a cybersecurity incident only if it updates
its compliance with the frameworks or standards outlined in subsection (2) within 1 year of the
latest publication date stated in the revision after two or more of its pertinent frameworks or
standards have been updated.
Miscellaneous
Section 1 provides that this Act may be entitled the “Florida Cyber Protection Act.”
Section 2 amends definitions used in ch. 282, F.S., to conform the transition from the DMS’
management to the FLDS’ management.
It also specifies that an “incident” is a violation of IT resources which may jeopardize the
confidentiality, integrity, or availability of an IT system or the information the system processes,
stores, or transmits.
It also provides “cyberextortion” as a synonym for the defined term “ransomware incident.”
Section 11 provides that the act takes effect on July 1, 2023.
65
The bill limits this to sole proprietorships, partnerships, corporations, trusts, estates, cooperatives, associations, or other
commercial entities. Additionally, it specifically applies to businesses that acquire, maintain, store, or use personal
information BILL: SB 1708 Page 17
IV. Constitutional Issues:
A. Municipality/County Mandates Restrictions:
Not applicable. The mandate restrictions do not apply because the bill does not require
counties and municipalities to spend funds, reduce counties’ or municipalities’ ability to
raise revenue, or reduce the percentage of state tax shared with counties and
municipalities.
B. Public Records/Open Meetings Issues:
None.
C. Trust Funds Restrictions:
None.
D. State Tax or Fee Increases:
None.
E. Other Constitutional Issues:
Open Meetings
Meetings of the Legislature must be open and noticed as provided in article. III, section
4(e), of the Florida Constitution, except with respect to those meetings exempted by the
Legislature pursuant to article I, section 24, Florida Constitution, or specifically closed by
the Constitution.
66
The Legislature must adopt rules which provide that all legislative
committee and subcommittee meetings of each house and joint conference committee
meetings be open and noticed.
67
Such rules must also provide:
[A]ll prearranged gatherings, between more than two members of the
legislature, or between the governor, the president of the senate, or the speaker
of the house of representatives, the purpose of which is to agree upon formal
legislative action that will be taken at a subsequent time, or at which formal
legislative action is taken, regarding pending legislation or amendments, shall
be reasonably open to the public. All open meetings shall be subject to order
and decorum. This section shall be implemented and defined by the rules of
each house, and such rules shall control admission to the floor of each
legislative chamber and may, where reasonably necessary for security
purposes or to protect a witness appearing before a committee, provide for the
closure of committee meetings. Each house shall be the sole judge for the
interpretation, implementation, and enforcement of this section.
66
FLA. CONST. art. I, s. 24.
67
FLA. CONST. art. III, s. 4(e). BILL: SB 1708 Page 18
Rule 1.44 of the Florida Senate requires that all meetings at which legislative business
68
is discussed between two or more members of the Legislature be open to the public,
unless, at the sole discretion of the President after consultation with appropriate
authorities—the meeting concerns measures to address security, espionage, sabotage,
attack, and other acts of terrorism, or for the protection of a witness as required by law.
Lines 932 through 938 of the bill states that legislative committees or subcommittees that
are responsible for matters that relate to cybersecurity may hold closed meetings closed,
if approved by the respective legislative body under the rules of such legislative body.
This is duplicative of Senate Rule 1.44. Additionally, it may conflict with article III,
section 4(e), of the Florida Constitution, because the statute—rather than a legislative rule
or constitutional provision—provides for the methods in which a Legislative body may
close its meetings.
Lines 988 through 996 of the bill provide that the presence of two or more members of
the Legislature at a Florida Cybersecurity Advisory Council meeting does not constitute a
meeting or prearranged gathering between those members, the purpose of which is to
agree upon formal legislative action that will be taken at a subsequent time. This is
unnecessary language—either the meeting occurs to agree upon formal legislative action
that will be taken at a subsequent time, or it doesn’t. A statement in statute does not
change the actions of the meeting and the law that applies.
Lines 308-323 create an operations committee that will consist of the CIO, Attorney
General, Secretary of State, executive director of the DLE, a representative of each state
agency, a representative of the Florida State Guard, and a representative of the National
Guard. This may present a need to notice a public meeting whenever the CIO discusses
cybersecurity issues with any other member of the operations committee—whether or not
it is for operations committee business.
69
This may cause issues in the performance of
some of the CIO’s assigned duties regarding oversight of agency cybersecurity
operations.
Access to Courts
The State Constitution provides in Article 1, s. 21, that “[the courts shall be open to every
person for redress of any injury, and justice shall be administered without sale, denial or
delay.”
Case law has demonstrated, however, that this provision is not absolute. In 1973, the
Florida Supreme Court, in Kluger v. White,
70
held that it would not completely prohibit
the Legislature from altering a cause of action, but would not allow it to “destroy a
traditional and long-standing cause of action upon mere legislative whim…”
The case involved the abolition of a statute governing a tort action for property damage in
an automobile accident case. When the Legislature abolished the remedy, it did not
68
“Legislative business” is defined as “issues pending before, or upon which foreseeable action is reasonably expected to be
taken by the Senate, a Senate committee, or a Senate subcommittee.” Fla. Senate R. 1.44.
69
See, e.g., Florida Citizens Alliance, Inc. v. School Board of Collier County, 328 So.3d 22 (Fla. 2d DCA 2021).
70
Kluger v. White, 281 So. 2d 1 (Fla. 1973). BILL: SB 1708 Page 19
provide an alternative protection to the injured party. The Court was confronted with the
issue of whether the Legislature could abolish a right of access to the courts. The Court
determined that the Legislature may not abolish a pre-1968 common law right or a
statutory cause of action unless the Legislature provides a reasonable alternative to that
action or unless an overpowering public necessity exists for abolishing the right of action.
The Court applies a three-part test to determine whether a statute violates the access to
courts provision:
Does the change abolish a preexisting right of access?
If so, whether a reasonable alternative exists to protect that preexisting right of
access.
If no reasonable alternative exists, whether an overwhelming public necessity exists.
71
Restrictions on the ability to bring a lawsuit have been upheld as constitutional, but the
point at which a restriction becomes an unconstitutional bar is not well defined.
Impairment of Contracts
The bill unilaterally transfers a contract with a private party to a new government entity.
The United States Constitution and the Florida Constitution prohibit the state from
passing any law impairing the obligation of contracts.
72
“[T]he first inquiry must be
whether the state law has, in fact, operated as a substantial impairment of a contractual
relationship. The severity of the impairment measures the height of the hurdle the state
legislation must clear.”
73
If a law does impair contracts, the courts will assess whether the
law is deemed reasonable and necessary to serve an important public purpose.
74
The
factors that a court will consider when balancing the impairment of contracts with the
public purpose include:
Whether the law was enacted to deal with a broad, generalized economic or social
problem;
Whether the law operates in an area that was already subject to state regulation at the
time the parties undertook their contractual obligations, or whether it invades an area
never before subject to regulation; and
Whether the law results in a temporary alteration of the contractual relationships of
those within its scope, or whether it permanently and immediately changes those
contractual relationships, irrevocably and retroactively.
75
V. Fiscal Impact Statement:
A. Tax/Fee Issues:
None.
71
Eller v. Shova, 630 So. 2d 537 (Fla. 1993).
72
U.S. Const. Article I, s. 10; Art. I, s. 10, Fla. Const.
73
Pomponio v Claridge of Pompano Condominium, Inc., 378 So. 2d 774, 779 (Fla. 1979) (quoting Allied Structural Steel Co.
v. Spannaus, 438 U.S. 234, 244-45 (1978)). See also General Motors Corp. v. Romein, 503 U.S. 181 (1992).
74
Park Benziger & Co. v. Southern Wine & Spirits, Inc., 391 So. 2d 681, 683 (Fla. 1980); Yellow Cab Co. of Dade County v.
Dade County, 412 So. 2d 395, 397 (Fla. 3rd DCA 1982) (citing United States Trust Co. v. New Jersey, 431 U.S. 1 (1977)).
75
See supra note 2. BILL: SB 1708 Page 20
B. Private Sector Impact:
None.
C. Government Sector Impact:
None.
VI. Technical Deficiencies:
Lines 77-80 of the bill amends the definition of “agency assessment,” but the term is not used in
ch. 282, F.S.
The committee created on lines 308-323 of the bill is an advisory body adjunct to an executive
agency, and therefore must be established and maintained in accordance with the requirements of
s. 20.052, F.S. The committee must be created pursuant to a finding of necessity and public
benefit, and be terminated when it no longer serves that purpose. Additionally, meetings of any
collegial body created by specific statutory enactment as an adjunct to an executive agency must
be open to the public, in accordance with s. 286.011, F.S., and minutes must be maintained.
Lines 643-649 grant the FLDS authority to “oversee” any agency cybersecurity audit performed
by a private sector vendor. It is unclear what functions are included in this role, and it may need
to be more clearly defined.
VII. Related Issues:
Rulemaking Authority
“A grant of rulemaking authority is necessary but not sufficient to allow an agency to adopt a
rule; a specific law to be implemented is also required.”
76
The bill transfers rulemaking authority
from the “DMS acting through the FLDS” to exclusively the FLDS in several places. The FLDS
does not have a grant of general rulemaking authority in statute. Therefore, rules it adopts
pursuant to its specific grants of rulemaking authority in this bill may be subject to challenge.
Legislative Briefing on Confidential and Exempt Subject Matter
The bill’s provision that allows any legislative committee or subcommittee that is responsible for
cybersecurity-related issues to hold closed meetings for the purposes of being briefed on
confidential and exempt subject matter is duplicative of the Legislature’s current ability to do so.
VIII. Statutes Affected:
This bill substantially amends the following sections of the Florida Statutes: 282.0041, 282.0051,
282.201, 282.318, 282.3185, 282.319, and 1004.649.
This bill creates the following sections of the Florida Statutes: 282.3195 and 768.401.
76
Section 120.536, F.S. BILL: SB 1708 Page 21
IX. Additional Information:
A. Committee Substitute – Statement of Changes:
(Summarizing differences between the Committee Substitute and the prior version of the bill.)
None.
B. Amendments:
None.
This Senate Bill Analysis does not reflect the intent or official position of the bill’s introducer or the Florida Senate.