CS/HB 1183 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1183-01-c1
Page 1 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to cybersecurity incident liability; 2
creating s. 768.401, F.S.; providing definitions; 3
providing that a county, municipality, other political 4
subdivision of the state, covered entity, or third -5
party agent that complies with certain requirements is 6
not liable in connection with a cybersecurity incident 7
under certain circumstances; requiring covered 8
entities and third-party agents to implement rev ised 9
frameworks, standards, laws, or regulations within a 10
specified time period; providing that a private cause 11
of action is not established; providing that certain 12
failures are not evidence of negligence, do not 13
constitute negligence per se, and cannot be used as 14
evidence of fault; specifying that the defendant in 15
certain actions has a certain burden of proof; 16
providing applicability; providing an effective date. 17
18
Be It Enacted by the Legislature of the State of Florida: 19
20
Section 1. Section 768.401 , Florida Statutes, is created 21
to read: 22
768.401 Limitation on liability for cybersecurity 23
incidents.— 24
(1) As used in this section, the term: 25
CS/HB 1183 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1183-01-c1
Page 2 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(a) "Covered entity" means a sole proprietorship, 26
partnership, corporation, trust, estate, cooperative, 27
association, or other commercial entity. 28
(b) "Cybersecurity standards or frameworks" means one or 29
more of the following: 30
1. The National Institute of Standards and Technology 31
(NIST) Framework for Improving Critical Infrastructure 32
Cybersecurity; 33
2. NIST special publication 800 -171; 34
3. NIST special publications 800 -53 and 800-53A; 35
4. The Federal Risk and Authorization Management Program 36
security assessment framework; 37
5. The Center for Internet Security (CIS) Critical 38
Security Controls; 39
6. The International Organization for 40
Standardization/International Electrotechnical Commission 27000 41
series (ISO/IEC 27000) family of standards; 42
7. HITRUST Common Security Framework (CSF); 43
8. Service Organization Control Type 2 Framework (SOC 2); 44
9. Secure Controls Framework; or 45
10. Other similar industry frameworks or standards. 46
(c) "Disaster recovery" has the same meaning as in s. 47
282.0041. 48
(d) "Personal information" has the same meaning as in s. 49
501.171(1). 50
CS/HB 1183 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1183-01-c1
Page 3 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(e) "Third-party agent" means an entity that has been 51
contracted to maintain, store, or process personal information 52
on behalf of a covered entity. 53
(2) A county, municipality, or other political subdivision 54
of the state is not liable in connection with a cybersecurity 55
incident if the county, municipality, or political subdivision 56
has implemented one or more policies that substantially comply 57
with cybersecurity standards or align with cybersecurity 58
frameworks, disaster recovery plans for cybersecurity incidents, 59
and multi-factor authentication. 60
(3) A covered entity or third -party agent that acquires, 61
maintains, stores, processes, or uses personal information has a 62
presumption against liability in a class action resulting from a 63
cybersecurity incident if the covered entity or third -party 64
agent has a cybersecurity program that does all of the 65
following, as applicable: 66
(a) Substantially complies with s. 501.171(3) -(6), as 67
applicable. 68
(b) Has implemented: 69
1. One or more policies that substantially comply with 70
cybersecurity standard s or align with cybersecurity frameworks, 71
a disaster recovery plan for cybersecurity incidents, and multi -72
factor authentication; or 73
2. If regulated by the state or Federal Government, or 74
both, or if otherwise subject to the requirements of any of the 75
CS/HB 1183 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1183-01-c1
Page 4 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
following laws and regulations, a cybersecurity program that 76
substantially complies with the current applicable version of 77
such laws and regulations: 78
a. The Health Insurance Portability and Accountability Act 79
of 1996 security requirements in 45 C.F.R. part 160 and part 164 80
subparts A and C. 81
b. Title V of the Gramm -Leach-Bliley Act of 1999, Pub. L. 82
No. 106-102, as amended, and its implementing regulations. 83
c. The Federal Information Security Modernization Act of 84
2014, Pub. L. No. 113 -283. 85
d. The Health Information Technology for Economic and 86
Clinical Health Act requirements in 45 C.F.R. parts 160 and 164. 87
e. The Criminal Justice Information Services (CJIS) 88
Security Policy. 89
f. Other similar requirements mandated by state or federal 90
law or regulation. 91
(4) A covered entity's or third -party agent's 92
cybersecurity program's compliance with paragraph (3)(b) may be 93
demonstrated by providing documentation or other evidence of an 94
assessment, conducted internally or by a third -party, reflecting 95
that the covered entity's or third-party agent's cybersecurity 96
program has implemented the requirements of that paragraph. 97
(5) Any covered entity or third -party agent must update 98
its cybersecurity program to incorporate any revisions of 99
relevant frameworks or standards or of applicable state or 100
CS/HB 1183 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1183-01-c1
Page 5 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
federal laws or regulations within 1 year after the latest 101
publication date stated in any such revisions in order to retain 102
protection from liability. 103
(6) This section does not establish a private cause of 104
action. 105
(7) Failure of a county, municipality, other political 106
subdivision of the state, covered entity, or third -party agent 107
to implement a cybersecurity program in compliance with this 108
section is not evidence of negligence, does not constitute 109
negligence per se, and cannot be used as evidence of fault under 110
any other theory of liability. 111
(8) In an action relating to a cybersecurity incident, if 112
the defendant is a county, municipality, or other political 113
subdivision covered by subsection (2) or a covered entity or 114
third-party agent covered by subsection (3), the defendant has 115
the burden of proof to establish substantial compliance with 116
this section. 117
Section 2. The amendments made by this act apply to any 118
suit filed on or after the effective date of this act and to any 119
putative class action not certified on or before the effective 120
date of this act. 121
Section 3. This act shall take effect upon becoming a law. 122