HB 473 2024
CODING: Words stricken are deletions; words underlined are additions.
hb0473-00
Page 1 of 4
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to cybersecurity incident liability; 2
creating s. 768.401, F.S.; providing that a county, 3
municipality, commercial entity, or third -party agent 4
that complies with certain requirements is not liable 5
in connection with a cybersecurity incident; requiring 6
certain entities to adopt certain revised frameworks 7
or standards within a specified time period; providing 8
that a private cause of action is not e stablished; 9
providing that certain failures are not evidence of 10
negligence and do not constitute negligence per se; 11
specifying that the defendant in certain actions has a 12
certain burden of proof; providing an effective date. 13
14
Be It Enacted by the Legis lature of the State of Florida: 15
16
Section 1. Section 768.401, Florida Statutes, is created 17
to read: 18
768.401 Limitation on liability for cybersecurity 19
incidents.— 20
(1) A county or municipality that substantially complies 21
with s. 282.3185 is not liable in connection with a 22
cybersecurity incident. 23
(2) A sole proprietorship, partnership, corporation, 24
trust, estate, cooperative, association, or other commercial 25
HB 473 2024
CODING: Words stricken are deletions; words underlined are additions.
hb0473-00
Page 2 of 4
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
entity or third-party agent that acquires, maintains, stores, or 26
uses personal information is not liable in connection with a 27
cybersecurity incident if the entity substantially complies with 28
s. 501.171, if applicable, and has: 29
(a) Adopted a cybersecurity program that substantially 30
aligns with the current version of any standards, guidelines, or 31
regulations that implement any of the following: 32
1. The National Institute of Standards and Technology 33
(NIST) Framework for Improving Critical Infrastructure 34
Cybersecurity. 35
2. NIST special publication 800 -171. 36
3. NIST special publications 800 -53 and 800-53A. 37
4. The Federal Risk and Authorization Management Program 38
security assessment framework. 39
5. The Center for Internet Security (CIS) Critical 40
Security Controls. 41
6. The International Organization for 42
Standardization/International Electrotechnical Commission 27000-43
series (ISO/IEC 27000) family of standards; or 44
(b) If regulated by the state or Federal Government, or 45
both, or if otherwise subject to the requirements of any of the 46
following laws and regulations, substantially aligned its 47
cybersecurity program to the current version of the following, 48
as applicable: 49
1. The Health Insurance Portability and Accountability Act 50
HB 473 2024
CODING: Words stricken are deletions; words underlined are additions.
hb0473-00
Page 3 of 4
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
of 1996 security requirements in 45 C.F.R. part 160 and part 164 51
subparts A and C. 52
2. Title V of the Gramm -Leach-Bliley Act of 1999, Pub. L. 53
No. 106-102, as amended. 54
3. The Federal Information Security Modernization Act of 55
2014, Pub. L. No. 113 -283. 56
4. The Health Information Technology for Economic and 57
Clinical Health Act requirements in 45 C.F.R. parts 160 and 164. 58
(3) The scale and scope of substantial alignment with a 59
standard, law, or regulation under paragraph (2)(a) or paragraph 60
(2)(b) by a covered entity or third -party agent, as applicable, 61
is appropriate if it is based on all of the following factors: 62
(a) The size and complexity of the covered entity or 63
third-party agent. 64
(b) The nature and scope of the activities of the covered 65
entity or third-party agent. 66
(c) The sensitivity of the information to be protected. 67
(4) Any commercial entity or third -party agent covered by 68
subsection (2) that substantially complies with a combination of 69
industry-recognized cybersecurity frameworks or standards to 70
gain the presumption against liability pursuant to subsection 71
(2) must, upon the revision of two or more of the framewor ks or 72
standards with which the entity complies, adopt the revised 73
frameworks or standards within 1 year after the latest 74
publication date stated in the revisions and, if applicable, 75
HB 473 2024
CODING: Words stricken are deletions; words underlined are additions.
hb0473-00
Page 4 of 4
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
comply with the Payment Card Industry Data Security Standard 76
(PCI DSS). 77
(5) This section does not establish a private cause of 78
action. Failure of a county, municipality, or commercial entity 79
to substantially implement a cybersecurity program that is in 80
compliance with this section is not evidence of negligence and 81
does not constitute negligence per se. 82
(6) In an action in connection with a cybersecurity 83
incident, if the defendant is an entity covered by subsection 84
(1) or subsection (2), the defendant has the burden of proof to 85
establish substantial compliance. 86
Section 2. This act shall take effect upon becoming a law. 87