Downloads
CS/CS/HB 473 — Cybersecurity Incident Liability
by Judiciary Committee; Commerce Committee; and Reps. Giallombardo, Steele, and others (CS/SB 658 by Governmental Oversight and Accountability Committee and Senator DiCeglie)
This summary is provided for information only and does not represent the opinion of any Senator, Senate Officer, or Senate Office.
Prepared by: Judiciary Committee (JU)
The bill provides that a county or municipality that has substantially complied with cybersecurity protocols established by the Department of Management Services and that has timely notified the state and the local sheriff of a serious incident related to cybersecurity is not liable for civil damages related to the incident.
The bill also provides that a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity or third-party agent that acquires, maintains, stores, processes, or uses personal information is not liable in connection with a cybersecurity incident if the entity substantially complies with the Florida Information Protection Act (FIPA), adopts standards and guidelines in substantial alignment with the current version of any of ten national standards listed, adopts standards and guidelines that substantially align with all of the five federal laws that may apply to the entity (including HIPAA and Gramm-Leach-Bliley, and other similar requirements), and updates its standards and guidelines within 1 year after an update to the prevailing standard.
The protection afforded by the bill is an affirmative defense where the defendant entity has the burden of proof on applicability.
The bill further provides that its provisions apply to any suit filed on or after the effective date of the bill and to any putative class action not certified on or before the effective date of the bill.
If approved by the Governor, or allowed to become law without the Governor’s signature, these provisions take effect upon becoming law.
Vote: Senate 32-8; House 81-28