CS/CS/HB 1183 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1183-02-c2
Page 1 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to cybersecurity incident liability; 2
creating s. 768.401, F.S.; providing definitions; 3
providing that a county, municipality, other political 4
subdivision of the state, covered entity, or third -5
party agent that complies with certain requirements is 6
not liable in connection with a cybersecurity incident 7
under certain circumstances; requiring covered 8
entities and third-party agents to implement rev ised 9
frameworks, standards, laws, or regulations within a 10
specified time period; providing that a private cause 11
of action is not established; providing that the fact 12
that a specified defendant could have obtained a 13
liability shield or a presumption against liability is 14
not admissible as evidence of negligence, does not 15
constitute negligence per se, and cannot be used as 16
evidence of fault; specifying that the defendant in 17
certain actions has a certain burden of proof; 18
providing applicability; providing an ef fective date. 19
20
Be It Enacted by the Legislature of the State of Florida: 21
22
Section 1. Section 768.401, Florida Statutes, is created 23
to read: 24
768.401 Limitation on liability for cybersecurity 25
CS/CS/HB 1183 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1183-02-c2
Page 2 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
incidents.— 26
(1) As used in this section, the term: 27
(a) "Covered entity" means a sole proprietorship, 28
partnership, corporation, trust, estate, cooperative, 29
association, or other commercial entity. 30
(b) "Cybersecurity standards or frameworks" means one or 31
more of the following: 32
1. The National Institute of Standards and Technology 33
(NIST) Cybersecurity Framework 2.0; 34
2. NIST special publication 800 -171; 35
3. NIST special publications 800 -53 and 800-53A; 36
4. The Federal Risk and Authorization Management Program 37
security assessment framework; 38
5. The Center for Internet Security (CIS) Critical 39
Security Controls; 40
6. The International Organization for 41
Standardization/International Electrotechnical Commission 27000 42
series (ISO/IEC 27000) family of standards; 43
7. HITRUST Common Security Framework (CSF); 44
8. Service Organization Control Type 2 Framework (SOC 2); 45
9. Secure Controls Framework; or 46
10. Other similar industry frameworks or standards. 47
(c) "Disaster recovery" has the same meaning as in s. 48
282.0041. 49
(d) "Personal information" has the same meaning as in s. 50
CS/CS/HB 1183 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1183-02-c2
Page 3 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
501.171(1). 51
(e) "Third-party agent" means an entity that has been 52
contracted to maintain, store, or process personal information 53
on behalf of a covered entity. 54
(2) A county, municipality, or other political subdivision 55
of the state is not liable in connection with a cybersecurity 56
incident if the county, municipality, or political subdivision 57
has implemented one or more policies that substantially comply 58
with cybersecurity standards or align with cybersecurity 59
frameworks, disaster recov ery plans for cybersecurity incidents, 60
and multi-factor authentication. 61
(3) A covered entity or third -party agent that acquires, 62
maintains, stores, processes, or uses personal information has a 63
presumption against liability in a class action resulting fr om a 64
cybersecurity incident if the covered entity or third -party 65
agent has a cybersecurity program that does all of the 66
following, as applicable: 67
(a) Substantially complies with s. 501.171(3) -(6), as 68
applicable. 69
(b) Has implemented: 70
1. One or more policies that substantially comply with 71
cybersecurity standards or align with cybersecurity frameworks, 72
a disaster recovery plan for cybersecurity incidents, and multi -73
factor authentication; or 74
2. If regulated by the state or Federal Government, or 75
CS/CS/HB 1183 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1183-02-c2
Page 4 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
both, or if otherwise subject to the requirements of any of the 76
following laws and regulations, a cybersecurity program that 77
substantially complies with the current applicable version of 78
such laws and regulations: 79
a. The Health Insurance Portability and Account ability Act 80
of 1996 security requirements in 45 C.F.R. part 160 and part 164 81
subparts A and C. 82
b. Title V of the Gramm -Leach-Bliley Act of 1999, Pub. L. 83
No. 106-102, as amended, and its implementing regulations. 84
c. The Federal Information Security Mode rnization Act of 85
2014, Pub. L. No. 113 -283. 86
d. The Health Information Technology for Economic and 87
Clinical Health Act requirements in 45 C.F.R. parts 160 and 164. 88
e. The Criminal Justice Information Services (CJIS) 89
Security Policy. 90
f. Other similar requirements mandated by state or federal 91
law or regulation. 92
(4) A covered entity's or third -party agent's 93
cybersecurity program's compliance with paragraph (3)(b) may be 94
demonstrated by providing documentation or other evidence of an 95
assessment, conducte d internally or by a third -party, reflecting 96
that the covered entity's or third -party agent's cybersecurity 97
program has implemented the requirements of that paragraph. 98
(5) Any covered entity or third -party agent must update 99
its cybersecurity program to i ncorporate any revisions of 100
CS/CS/HB 1183 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1183-02-c2
Page 5 of 5
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
relevant frameworks or standards or of applicable state or 101
federal laws or regulations within 1 year after the latest 102
publication date stated in any such revisions in order to retain 103
protection from liability. 104
(6) This section does not establish a private cause of 105
action. 106
(7) If a civil action is filed against a county, 107
municipality, other political subdivision of the state, covered 108
entity, or third-party agent that failed to implement a 109
cybersecurity program in compliance wi th this section, the fact 110
that such defendant could have obtained a liability shield or 111
presumption against liability upon compliance is not admissible 112
as evidence of negligence, does not constitute negligence per 113
se, and cannot be used as evidence of faul t under any other 114
theory of liability. 115
(8) In an action relating to a cybersecurity incident, if 116
the defendant is a county, municipality, or other political 117
subdivision covered by subsection (2) or a covered entity or 118
third-party agent covered by subsect ion (3), the defendant has 119
the burden of proof to establish substantial compliance with 120
this section. 121
Section 2. The amendments made by this act apply to any 122
putative class action filed before, on, or after the effective 123
date of this act. 124
Section 3. This act shall take effect upon becoming a law. 125