ENROLLED
CS/CS/HB 473 2024 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb0473-03-er
Page 1 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1
An act relating to cybersecurity incident liability; 2
creating s. 768.401, F.S.; providing definitions; 3
providing that a county, municipality, other political 4
subdivision of the state, covered entity, or third -5
party agent that complies with certain requirements is 6
not liable in connection with a cybersecurity 7
incident; requiring covered entities and third -party 8
agents to adopt revised frameworks, standards, laws, 9
or regulations within a specified time period; 10
providing that a private cause of action is not 11
established; providing that certain failures are not 12
evidence of negligence and do not constitute 13
negligence per se; specifying that the defendant in 14
certain actions has a certai n burden of proof; 15
providing applicability; providing an effective date. 16
17
Be It Enacted by the Legislature of the State of Florida: 18
19
Section 1. Section 768.401, Florida Statutes, is created 20
to read: 21
768.401 Limitation on liability for cybersecuri ty 22
incidents.— 23
(1) As used in this section, the term: 24
(a) "Covered entity" means a sole proprietorship, 25
ENROLLED
CS/CS/HB 473 2024 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb0473-03-er
Page 2 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
partnership, corporation, trust, estate, cooperative, 26
association, or other commercial entity. 27
(b) "Third-party agent" means an entity that has be en 28
contracted to maintain, store, or process personal information 29
on behalf of a covered entity. 30
(2) A county or municipality that substantially complies 31
with s. 282.3185, and any other political subdivision of the 32
state that substantially complies with s. 282.3185 on a 33
voluntary basis, is not liable in connection with a 34
cybersecurity incident. 35
(3) A covered entity or third -party agent that acquires, 36
maintains, stores, processes, or uses personal information is 37
not liable in connection with a cybersecur ity incident if the 38
covered entity or third -party agent does all of the following, 39
as applicable: 40
(a) Substantially complies with s. 501.171(3) -(6), as 41
applicable. 42
(b)1. Has adopted a cybersecurity program that 43
substantially aligns with the current ver sion of any standards, 44
guidelines, or regulations that implement any of the following: 45
a. The National Institute of Standards and Technology 46
(NIST) Framework for Improving Critical Infrastructure 47
Cybersecurity; 48
b. NIST special publication 800 -171; 49
c. NIST special publications 800 -53 and 800-53A; 50
ENROLLED
CS/CS/HB 473 2024 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb0473-03-er
Page 3 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
d. The Federal Risk and Authorization Management Program 51
security assessment framework; 52
e. The Center for Internet Security (CIS) Critical 53
Security Controls; 54
f. The International Organization for 55
Standardization/International Electrotechnical Commission 27000 -56
series (ISO/IEC 27000) family of standards; 57
g. HITRUST Common Security Framework (CSF); 58
h. Service Organization Control Type 2 (SOC 2) Framework; 59
i. Secure Controls Framework; or 60
j. Other similar industry frameworks or standards; or 61
2. If regulated by the state or Federal Government, or 62
both, or if otherwise subject to the requirements of any of the 63
following laws and regulations, has adopted a cybersecurity 64
program that substantially aligns with the current version of 65
the following, as applicable: 66
a. The Health Insurance Portability and Accountability Act 67
of 1996 security requirements in 45 C.F.R. part 160 and part 164 68
subparts A and C. 69
b. Title V of the Gramm -Leach-Bliley Act of 1999, Pub. L. 70
No. 106-102, as amended. 71
c. The Federal Information Security Modernization Act of 72
2014, Pub. L. No. 113 -283. 73
d. The Health Information Technology for Economic and 74
Clinical Health Act requirements in 45 C.F.R. parts 160 and 164. 75
ENROLLED
CS/CS/HB 473 2024 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb0473-03-er
Page 4 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
e. The Criminal Justice Information Services (CJIS) 76
Security Policy. 77
f. Other similar requirements mandated by state or federal 78
law or regulation. 79
(4) A covered entity's or third -party agent's substantial 80
alignment with a framework or standard under subparagra ph 81
(3)(b)1. or with a law or regulation under subparagraph (3)(b)2. 82
may be demonstrated by providing documentation or other evidence 83
of an assessment, conducted internally or by a third -party, 84
reflecting that the covered entity's or third -party agent's 85
cybersecurity program is substantially aligned with the relevant 86
framework or standard or with the applicable state or federal 87
law or regulation. In determining whether a covered entity's or 88
third-party agent's cybersecurity program is in substantial 89
alignment, all of the following factors must be considered: 90
(a) The size and complexity of the covered entity or 91
third-party agent. 92
(b) The nature and scope of the activities of the covered 93
entity or third-party agent. 94
(c) The sensitivity of the information to be protected. 95
(5) Any covered entity or third -party agent must 96
substantially align its cybersecurity program with any revisions 97
of relevant frameworks or standards or of applicable state or 98
federal laws or regulations within 1 year after the latest 99
publication date stated in any such revisions in order to retain 100
ENROLLED
CS/CS/HB 473 2024 Legislature
CODING: Words stricken are deletions; words underlined are additions.
hb0473-03-er
Page 5 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
protection from liability. 101
(6) This section does not establish a private cause of 102
action. 103
(7) Failure of a county, municipality, other political 104
subdivision of the state, covered entity, or third-party agent 105
to substantially implement a cybersecurity program that is in 106
compliance with this section is not evidence of negligence and 107
does not constitute negligence per se. 108
(8) In an action relating to a cybersecurity incident, if 109
the defendant is a county, municipality, or political 110
subdivision covered by subsection (2) or a covered entity or 111
third-party agent covered by subsection (3), the defendant has 112
the burden of proof to establish substantial compliance. 113
Section 2. The amendments made by this act apply to any 114
suit filed on or after the effective date of this act and to any 115
putative class action not certified on or before the effective 116
date of this act. 117
Section 3. This act shall take effect upon becoming a law. 118