Florida Senate - 2024 COMMITTEE AMENDMENT
Bill No. SB 658
Ì779464KÎ779464
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
02/06/2024 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Governmental Oversight and Accountability
(DiCeglie) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Section 768.401, Florida Statutes, is created to
6 read:
7 768.401 Limitation on liability for cybersecurity
8 incidents.—
9 (1) A county or municipality that substantially complies
10 with s. 282.3185, and any other political subdivision of the
11 state that substantially complies with s. 282.3185 on a
12 voluntary basis, is not liable in connection with a
13 cybersecurity incident.
14 (2) A sole proprietorship, partnership, corporation, trust,
15 estate, cooperative, association, or other commercial entity or
16 third-party agent that acquires, maintains, stores, or uses
17 personal information is not liable in connection with a
18 cybersecurity incident if the entity substantially complies with
19 s. 501.171, if applicable, and has:
20 (a) Adopted a cybersecurity program that substantially
21 aligns with the current version of any standards, guidelines, or
22 regulations that implement any of the following:
23 1. The National Institute of Standards and Technology
24 (NIST) Framework for Improving Critical Infrastructure
25 Cybersecurity.
26 2. NIST special publication 800-171.
27 3. NIST special publications 800-53 and 800-53A.
28 4. The Federal Risk and Authorization Management Program
29 security assessment framework.
30 5. The Center for Internet Security (CIS) Critical Security
31 Controls.
32 6. The International Organization for
33 Standardization/International Electrotechnical Commission 27000
34 series (ISO/IEC 27000) family of standards; or
35 (b) If regulated by the state or Federal Government, or
36 both, or if otherwise subject to the requirements of any of the
37 following laws and regulations, substantially aligned its
38 cybersecurity program to the current version of the following,
39 as applicable:
40 1. The Health Insurance Portability and Accountability Act
41 of 1996 security requirements in 45 C.F.R. part 160 and part 164
42 subparts A and C.
43 2. Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L.
44 No. 106-102, as amended.
45 3. The Federal Information Security Modernization Act of
46 2014, Pub. L. No. 113-283.
47 4. The Health Information Technology for Economic and
48 Clinical Health Act requirements in 45 C.F.R. parts 160 and 164.
49 (3) The scale and scope of substantial alignment with a
50 standard, law, or regulation under paragraph (2)(a) or paragraph
51 (2)(b) by a covered entity or third-party agent, as applicable,
52 is appropriate if it is based on all of the following factors:
53 (a) The size and complexity of the covered entity or third
54 party agent.
55 (b) The nature and scope of the activities of the covered
56 entity or third-party agent.
57 (c) The sensitivity of the information to be protected.
58 (4) Any commercial entity or third-party agent covered by
59 subsection (2) that substantially complies with a combination of
60 industry-recognized cybersecurity frameworks or standards to
61 gain the presumption against liability pursuant to subsection
62 (2) must, upon the revision of two or more of the frameworks or
63 standards with which the entity complies, adopt the revised
64 frameworks or standards within 1 year after the latest
65 publication date stated in the revisions and, if applicable,
66 comply with the Payment Card Industry Data Security Standard
67 (PCI DSS).
68 (5) This section does not establish a private cause of
69 action. Failure of a county, municipality, other political
70 subdivision of the state, or commercial entity to substantially
71 implement a cybersecurity program that is in compliance with
72 this section is not evidence of negligence and does not
73 constitute negligence per se.
74 (6) In an action in connection with a cybersecurity
75 incident, if the defendant is an entity covered by subsection
76 (1) or subsection (2), the defendant has the burden of proof to
77 establish substantial compliance.
78 Section 2. This act shall take effect upon becoming a law.
79
80 ================= T I T L E A M E N D M E N T ================
81 And the title is amended as follows:
82 Delete everything before the enacting clause
83 and insert:
84 A bill to be entitled
85 An act relating to cybersecurity incident liability;
86 creating s. 768.401, F.S.; providing that a county,
87 municipality, other political subdivision of the
88 state, commercial entity, or third-party agent that
89 complies with certain requirements is not liable in
90 connection with a cybersecurity incident; requiring
91 certain entities to adopt certain revised frameworks
92 or standards within a specified time period; providing
93 that a private cause of action is not established;
94 providing that certain failures are not evidence of
95 negligence and do not constitute negligence per se;
96 specifying that the defendant in certain actions has a
97 certain burden of proof; providing an effective date.