Florida 2025 Regular Session

Florida House Bill H1183 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1	1
2	2
3		-	~~CS/~~CS/HB 1183 2025
	3	+	CS/HB 1183 2025
4	4
5	5
6	6
7	7		CODING: Words stricken are deletions; words underlined are additions.
8		-	hb1183-~~02-c2~~
	8	+	hb1183-01-c1
9	9		Page 1 of 5
10	10		F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
11	11
12	12
13	13
14	14		A bill to be entitled 1
15	15		An act relating to cybersecurity incident liability; 2
16	16		creating s. 768.401, F.S.; providing definitions; 3
17	17		providing that a county, municipality, other political 4
18	18		subdivision of the state, covered entity, or third -5
19	19		party agent that complies with certain requirements is 6
20	20		not liable in connection with a cybersecurity incident 7
21	21		under certain circumstances; requiring covered 8
22	22		entities and third-party agents to implement rev ised 9
23	23		frameworks, standards, laws, or regulations within a 10
24	24		specified time period; providing that a private cause 11
25		-	of action is not established; providing that ~~the fact~~ 12
26		-	~~that a specified defendant could have obtained a~~ 13
27		-	~~liability shield or a presumption against liability is~~ 14
28		-	~~not admissible as~~ evidence of ~~negligence, does not~~ 15
29		-	~~constitute negligence per se,~~ ~~and cannot be used as~~ 16
30		-	~~evidence of fault~~; ~~specifying that the defendant in~~ 17
31		-	~~certain actions has a certain burden of proof;~~ 18
32		-	~~providing applicability;~~ ~~providing an ef fective date.~~ 19
	25	+	of action is not established; providing that certain 12
	26	+	failures are not evidence of negligence, do not 13
	27	+	constitute negligence per se, and cannot be used as 14
	28	+	evidence of fault; specifying that the defendant in 15
	29	+	certain actions has a certain burden of proof; 16
	30	+	providing applicability; providing an effective date. 17
	31	+	18
	32	+	Be It Enacted by the Legislature of the State of Florida: 19
33	33		20
34		-	~~Be It Enacted by the Legislature of the State of~~ Florida: 21
35		-	22
36		-	~~Section 1. Section~~ 768.401~~, Florida Statutes,~~ ~~is created~~ 23
37		-	~~to read:~~ 24
38		-	~~768.401 Limitation on liability for cybersecurity~~ 25
	34	+	Section 1. Section 768.401 , Florida Statutes, is created 21
	35	+	to read: 22
	36	+	768.401 Limitation on liability for cybersecurity 23
	37	+	incidents.— 24
	38	+	(1) As used in this section, the term: 25
39	39
40		-	~~CS/~~CS/HB 1183 2025
	40	+	CS/HB 1183 2025
41	41
42	42
43	43
44	44		CODING: Words stricken are deletions; words underlined are additions.
45		-	hb1183-~~02-c2~~
	45	+	hb1183-01-c1
46	46		Page 2 of 5
47	47		F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
48	48
49	49
50	50
51		-	~~incidents.—~~ 26
52		-	~~(1) As used in this section~~, ~~the term:~~ 27
53		-	~~(a) "Covered~~ entity~~" means a sole proprietorship,~~ 28
54		-	~~partnership, corporation,~~ ~~trust, estate,~~ ~~cooperative,~~ 29
55		-	~~association, or other commercial entity.~~ 30
56		-	~~(b) "Cybersecurity~~ standards ~~or frameworks" means one or~~ 31
57		-	~~more of the following:~~ 32
58		-	~~1. The National Institute of Standards and Technology~~ 33
59		-	~~(NIST) Cybersecurity Framework~~ 2.0; 34
60		-	2. NIST special ~~publication~~ 800 -~~171~~; 35
61		-	3. ~~NIST special publications 800 -53~~ and ~~800-53A;~~ 36
62		-	4. ~~The Federal Risk and Authorization Management Program~~ 37
63		-	security ~~assessment framework;~~ 38
64		-	~~5. The Center for Internet~~ Security ~~(CIS) Critical~~ 39
65		-	~~Security Controls;~~ 40
66		-	~~6. The~~ International ~~Organization for~~ 41
67		-	~~Standardization~~/~~International Electrotechnical Commission~~ 27000 42
68		-	~~series~~ (~~ISO/IEC 27000~~) ~~family of standards~~; 43
69		-	7. ~~HITRUST Common Security~~ Framework (~~CSF~~); 44
70		-	8. ~~Service Organization Control Type 2~~ Framework ~~(SOC 2);~~ 45
71		-	9. ~~Secure Controls Framework;~~ or 46
72		-	~~10. Other similar industry frameworks or standards~~. 47
73		-	~~(c) "Disaster recovery" has the same meaning as in s~~. 48
74		-	~~282.0041~~. 49
75		-	(d) ~~"Personal information" has the same meaning as in s~~. 50
	51	+	(a) "Covered entity" means a sole proprietorship, 26
	52	+	partnership, corporation, trust, estate, cooperative, 27
	53	+	association, or other commercial entity. 28
	54	+	(b) "Cybersecurity standards or frameworks" means one or 29
	55	+	more of the following: 30
	56	+	1. The National Institute of Standards and Technology 31
	57	+	(NIST) Framework for Improving Critical Infrastructure 32
	58	+	Cybersecurity; 33
	59	+	2. NIST special publication 800 -171; 34
	60	+	3. NIST special publications 800 -53 and 800-53A; 35
	61	+	4. The Federal Risk and Authorization Management Program 36
	62	+	security assessment framework; 37
	63	+	5. The Center for Internet Security (CIS) Critical 38
	64	+	Security Controls; 39
	65	+	6. The International Organization for 40
	66	+	Standardization/International Electrotechnical Commission 27000 41
	67	+	series (ISO/IEC 27000) family of standards; 42
	68	+	7. HITRUST Common Security Framework (CSF); 43
	69	+	8. Service Organization Control Type 2 Framework (SOC 2); 44
	70	+	9. Secure Controls Framework; or 45
	71	+	10. Other similar industry frameworks or standards. 46
	72	+	(c) "Disaster recovery" has the same meaning as in s. 47
	73	+	282.0041. 48
	74	+	(d) "Personal information" has the same meaning as in s. 49
	75	+	501.171(1). 50
76	76
77		-	~~CS/~~CS/HB 1183 2025
	77	+	CS/HB 1183 2025
78	78
79	79
80	80
81	81		CODING: Words stricken are deletions; words underlined are additions.
82		-	hb1183-~~02-c2~~
	82	+	hb1183-01-c1
83	83		Page 3 of 5
84	84		F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
85	85
86	86
87	87
88		-	~~501.171~~(1). 51
89		-	~~(e) "Third-party agent"~~ ~~means an entity that has been~~ 52
90		-	~~contracted to maintain,~~ ~~store, or process personal information~~ 53
91		-	~~on behalf of~~ a ~~covered entity.~~ 54
92		-	~~(2)~~ A ~~county, municipality, or other political subdivision~~ 55
93		-	of the ~~state is not liable in connection with a cybersecurity~~ 56
94		-	~~incident if the county, municipality,~~ or ~~political subdivision~~ 57
95		-	~~has implemented one~~ or ~~more policies that substantially comply~~ 58
96		-	~~with~~ cybersecurity ~~standards or align with cybersecurity~~ 59
97		-	~~frameworks, disaster recov ery plans for cybersecurity incidents,~~ 60
98		-	~~and multi-factor authentication.~~ 61
99		-	~~(3)~~ A ~~covered entity or third -party agent that acquires,~~ 62
100		-	~~maintains, stores,~~ ~~processes, or uses personal information has~~ a 63
101		-	~~presumption against liability in a class action resulting fr om a~~ 64
102		-	cybersecurity ~~incident if~~ the ~~covered entity or third -party~~ 65
103		-	~~agent has a cybersecurity program that does all of the~~ 66
104		-	~~following~~, as ~~applicable:~~ 67
105		-	~~(a) Substantially complies with s~~. ~~501.171(3) -(6), as~~ 68
106		-	~~applicable.~~ 69
107		-	~~(b) Has implemented:~~ 70
108		-	1. ~~One~~ or ~~more policies that substantially comply~~ with 71
109		-	~~cybersecurity standards or align with~~ cybersecurity ~~frameworks~~, 72
110		-	~~a disaster recovery plan for cybersecurity incidents, and multi -~~73
111		-	~~factor authentication;~~ or 74
112		-	2. If ~~regulated by~~ the ~~state or Federal Government,~~ or 75
	88	+	(e) "Third-party agent" means an entity that has been 51
	89	+	contracted to maintain, store, or process personal information 52
	90	+	on behalf of a covered entity. 53
	91	+	(2) A county, municipality, or other political subdivision 54
	92	+	of the state is not liable in connection with a cybersecurity 55
	93	+	incident if the county, municipality, or political subdivision 56
	94	+	has implemented one or more policies that substantially comply 57
	95	+	with cybersecurity standards or align with cybersecurity 58
	96	+	frameworks, disaster recovery plans for cybersecurity incidents, 59
	97	+	and multi-factor authentication. 60
	98	+	(3) A covered entity or third -party agent that acquires, 61
	99	+	maintains, stores, processes, or uses personal information has a 62
	100	+	presumption against liability in a class action resulting from a 63
	101	+	cybersecurity incident if the covered entity or third -party 64
	102	+	agent has a cybersecurity program that does all of the 65
	103	+	following, as applicable: 66
	104	+	(a) Substantially complies with s. 501.171(3) -(6), as 67
	105	+	applicable. 68
	106	+	(b) Has implemented: 69
	107	+	1. One or more policies that substantially comply with 70
	108	+	cybersecurity standard s or align with cybersecurity frameworks, 71
	109	+	a disaster recovery plan for cybersecurity incidents, and multi -72
	110	+	factor authentication; or 73
	111	+	2. If regulated by the state or Federal Government, or 74
	112	+	both, or if otherwise subject to the requirements of any of the 75
113	113
114		-	~~CS/~~CS/HB 1183 2025
	114	+	CS/HB 1183 2025
115	115
116	116
117	117
118	118		CODING: Words stricken are deletions; words underlined are additions.
119		-	hb1183-~~02-c2~~
	119	+	hb1183-01-c1
120	120		Page 4 of 5
121	121		F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
122	122
123	123
124	124
125		-	~~both~~, ~~or if otherwise subject to the requirements of any of the~~ 76
126		-	~~following laws and regulations,~~ ~~a cybersecurity program that~~ 77
127		-	~~substantially complies with the current applicable version of~~ 78
128		-	~~such laws~~ and ~~regulations:~~ 79
129		-	a. ~~The Health Insurance Portability~~ and ~~Account ability Act~~ 80
130		-	~~of 1996 security requirements in 45~~ C.~~F.R. part 160 and part 164~~ 81
131		-	~~subparts A and C~~. 82
132		-	b. ~~Title V of the Gramm -Leach-Bliley Act of 1999~~, ~~Pub. L~~. 83
133		-	No. ~~106-102, as amended,~~ ~~and its implementing regulations.~~ 84
134		-	c. ~~The Federal Information Security Mode rnization Act of~~ 85
135		-	~~2014, Pub~~. ~~L. No.~~ ~~113 -283.~~ 86
136		-	~~d. The~~ Health ~~Information Technology for Economic~~ and 87
137		-	~~Clinical Health Act requirements in 45 C.F.R~~. ~~parts 160 and 164.~~ 88
138		-	e. ~~The Criminal Justice Information Services (CJIS)~~ 89
139		-	~~Security Policy~~. 90
140		-	~~f. Other similar requirements mandated by state~~ or ~~federal~~ 91
141		-	~~law~~ or ~~regulation.~~ 92
142		-	~~(4) A covered entity~~'s ~~or third -party~~ ~~agent's~~ 93
143		-	~~cybersecurity program's compliance with paragraph (3)(b) may be~~ 94
144		-	~~demonstrated~~ by ~~providing documentation or other evidence of an~~ 95
145		-	~~assessment, conducte d internally~~ or ~~by a~~ third -party~~, reflecting~~ 96
146		-	~~that~~ the ~~covered entity's or third -party agent's cybersecurity~~ 97
147		-	~~program has implemented the requirements of that paragraph.~~ 98
148		-	~~(5)~~ Any ~~covered entity or third -party agent must update~~ 99
149		-	~~its cybersecurity program to i ncorporate any revisions~~ of 100
	125	+	following laws and regulations, a cybersecurity program that 76
	126	+	substantially complies with the current applicable version of 77
	127	+	such laws and regulations: 78
	128	+	a. The Health Insurance Portability and Accountability Act 79
	129	+	of 1996 security requirements in 45 C.F.R. part 160 and part 164 80
	130	+	subparts A and C. 81
	131	+	b. Title V of the Gramm -Leach-Bliley Act of 1999, Pub. L. 82
	132	+	No. 106-102, as amended, and its implementing regulations. 83
	133	+	c. The Federal Information Security Modernization Act of 84
	134	+	2014, Pub. L. No. 113 -283. 85
	135	+	d. The Health Information Technology for Economic and 86
	136	+	Clinical Health Act requirements in 45 C.F.R. parts 160 and 164. 87
	137	+	e. The Criminal Justice Information Services (CJIS) 88
	138	+	Security Policy. 89
	139	+	f. Other similar requirements mandated by state or federal 90
	140	+	law or regulation. 91
	141	+	(4) A covered entity's or third -party agent's 92
	142	+	cybersecurity program's compliance with paragraph (3)(b) may be 93
	143	+	demonstrated by providing documentation or other evidence of an 94
	144	+	assessment, conducted internally or by a third -party, reflecting 95
	145	+	that the covered entity's or third-party agent's cybersecurity 96
	146	+	program has implemented the requirements of that paragraph. 97
	147	+	(5) Any covered entity or third -party agent must update 98
	148	+	its cybersecurity program to incorporate any revisions of 99
	149	+	relevant frameworks or standards or of applicable state or 100
150	150
151		-	~~CS/~~CS/HB 1183 2025
	151	+	CS/HB 1183 2025
152	152
153	153
154	154
155	155		CODING: Words stricken are deletions; words underlined are additions.
156		-	hb1183-~~02-c2~~
	156	+	hb1183-01-c1
157	157		Page 5 of 5
158	158		F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
159	159
160	160
161	161
162		-	relevant frameworks or standards or of applicable state or 101
163		-	federal laws or regulations within 1 year after the latest 102
164		-	publication date stated in any such revisions in order to retain 103
165		-	protection from liability. 104
166		-	(6) This section does not establish a private cause of 105
167		-	action. 106
168		-	(7) If a civil action is filed against a county, 107
169		-	municipality, other political subdivision of the state, covered 108
170		-	entity, or third-party agent that failed to implement a 109
171		-	cybersecurity program in compliance wi th this section, the fact 110
172		-	that such defendant could have obtained a liability shield or 111
173		-	presumption against liability upon compliance is not admissible 112
174		-	as evidence of negligence, does not constitute negligence per 113
175		-	se, and cannot be used as evidence of faul t under any other 114
176		-	theory of liability. 115
177		-	(8) In an action relating to a cybersecurity incident, if 116
178		-	the defendant is a county, municipality, or other political 117
179		-	subdivision covered by subsection (2) or a covered entity or 118
180		-	third-party agent covered by subsect ion (3), the defendant has 119
181		-	the burden of proof to establish substantial compliance with 120
182		-	this section. 121
183		-	Section 2. The amendments made by this act apply to any 122
184		-	putative class action filed before, on, or after the effective 123
185		-	date of this act. 124
186		-	Section 3. This act shall take effect upon becoming a law. 125
	162	+	federal laws or regulations within 1 year after the latest 101
	163	+	publication date stated in any such revisions in order to retain 102
	164	+	protection from liability. 103
	165	+	(6) This section does not establish a private cause of 104
	166	+	action. 105
	167	+	(7) Failure of a county, municipality, other political 106
	168	+	subdivision of the state, covered entity, or third -party agent 107
	169	+	to implement a cybersecurity program in compliance with this 108
	170	+	section is not evidence of negligence, does not constitute 109
	171	+	negligence per se, and cannot be used as evidence of fault under 110
	172	+	any other theory of liability. 111
	173	+	(8) In an action relating to a cybersecurity incident, if 112
	174	+	the defendant is a county, municipality, or other political 113
	175	+	subdivision covered by subsection (2) or a covered entity or 114
	176	+	third-party agent covered by subsection (3), the defendant has 115
	177	+	the burden of proof to establish substantial compliance with 116
	178	+	this section. 117
	179	+	Section 2. The amendments made by this act apply to any 118
	180	+	suit filed on or after the effective date of this act and to any 119
	181	+	putative class action not certified on or before the effective 120
	182	+	date of this act. 121
	183	+	Section 3. This act shall take effect upon becoming a law. 122