CS/HB 473 2024
CODING: Words stricken are deletions; words underlined are additions.
hb0473-01-c1
Page 1 of 4
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to cybersecurity incident liability; 2
creating s. 768.401, F.S.; providing that a county, 3
municipality, other political subdivision of the 4
state, commercial entity, or third -party agent that 5
complies with certain requirements is not liable in 6
connection with a cybersecurity incident; requiring 7
certain entities to adopt certain revised frameworks 8
or standards within a specified time period; providing 9
that a private cause of action is not established; 10
providing that certain failures are not evidence of 11
negligence and do not constitute negligence per se; 12
specifying that the defendant in certain actions has a 13
certain burden of proof; providing an effecti ve date. 14
15
Be It Enacted by the Legislature of the State of Florida: 16
17
Section 1. Section 768.401, Florida Statutes, is created 18
to read: 19
768.401 Limitation on liability for cybersecurity 20
incidents.— 21
(1) A county or municipality that substantially complies 22
with s. 282.3185, and any other political subdivision of the 23
state that substantially complies with s. 282.3185 on a 24
voluntary basis, is not liable in connection with a 25
CS/HB 473 2024
CODING: Words stricken are deletions; words underlined are additions.
hb0473-01-c1
Page 2 of 4
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
cybersecurity incident. 26
(2) A sole proprietorship, partnership, corporation , 27
trust, estate, cooperative, association, or other commercial 28
entity or third-party agent that acquires, maintains, stores, or 29
uses personal information is not liable in connection with a 30
cybersecurity incident if the entity substantially complies with 31
s. 501.171, if applicable, and has: 32
(a) Adopted a cybersecurity program that substantially 33
aligns with the current version of any standards, guidelines, or 34
regulations that implement any of the following: 35
1. The National Institute of Standards and Techno logy 36
(NIST) Framework for Improving Critical Infrastructure 37
Cybersecurity. 38
2. NIST special publication 800 -171. 39
3. NIST special publications 800 -53 and 800-53A. 40
4. The Federal Risk and Authorization Management Program 41
security assessment framework. 42
5. The Center for Internet Security (CIS) Critical 43
Security Controls. 44
6. The International Organization for 45
Standardization/International Electrotechnical Commission 27000 -46
series (ISO/IEC 27000) family of standards; or 47
(b) If regulated by the state or Federal Government, or 48
both, or if otherwise subject to the requirements of any of the 49
following laws and regulations, substantially aligned its 50
CS/HB 473 2024
CODING: Words stricken are deletions; words underlined are additions.
hb0473-01-c1
Page 3 of 4
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
cybersecurity program to the current version of the following, 51
as applicable: 52
1. The Health Insurance Portab ility and Accountability Act 53
of 1996 security requirements in 45 C.F.R. part 160 and part 164 54
subparts A and C. 55
2. Title V of the Gramm -Leach-Bliley Act of 1999, Pub. L. 56
No. 106-102, as amended. 57
3. The Federal Information Security Modernization Act of 58
2014, Pub. L. No. 113 -283. 59
4. The Health Information Technology for Economic and 60
Clinical Health Act requirements in 45 C.F.R. parts 160 and 164. 61
(3) The scale and scope of substantial alignment with a 62
standard, law, or regulation under paragraph (2)(a ) or paragraph 63
(2)(b) by a covered entity or third -party agent, as applicable, 64
is appropriate if it is based on all of the following factors: 65
(a) The size and complexity of the covered entity or 66
third-party agent. 67
(b) The nature and scope of the activi ties of the covered 68
entity or third-party agent. 69
(c) The sensitivity of the information to be protected. 70
(4) Any commercial entity or third -party agent covered by 71
subsection (2) that substantially complies with a combination of 72
industry-recognized cybersecurity frameworks or standards to 73
gain the presumption against liability pursuant to subsection 74
(2) must, upon the revision of two or more of the frameworks or 75
CS/HB 473 2024
CODING: Words stricken are deletions; words underlined are additions.
hb0473-01-c1
Page 4 of 4
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
standards with which the entity complies, adopt the revised 76
frameworks or standards within 1 year after the latest 77
publication date stated in the revisions and, if applicable, 78
comply with the Payment Card Industry Data Security Standard 79
(PCI DSS). 80
(5) This section does not establish a private cause of 81
action. Failure of a county, municipality, o ther political 82
subdivision of the state, or commercial entity to substantially 83
implement a cybersecurity program that is in compliance with 84
this section is not evidence of negligence and does not 85
constitute negligence per se. 86
(6) In an action in connecti on with a cybersecurity 87
incident, if the defendant is an entity covered by subsection 88
(1) or subsection (2), the defendant has the burden of proof to 89
establish substantial compliance. 90
Section 2. This act shall take effect upon becoming a law. 91