Florida Senate - 2024                        COMMITTEE AMENDMENT
       Bill No. SB 658
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                  Comm: RCS            .                                
                  02/06/2024           .                                

       The Committee on Governmental Oversight and Accountability
       (DiCeglie) recommended the following:
    1         Senate Amendment (with title amendment)
    3         Delete everything after the enacting clause
    4  and insert:
    5         Section 1. Section 768.401, Florida Statutes, is created to
    6  read:
    7         768.401Limitation on liability for cybersecurity
    8  incidents.—
    9         (1)A county or municipality that substantially complies
   10  with s. 282.3185, and any other political subdivision of the
   11  state that substantially complies with s. 282.3185 on a
   12  voluntary basis, is not liable in connection with a
   13  cybersecurity incident.
   14         (2)A sole proprietorship, partnership, corporation, trust,
   15  estate, cooperative, association, or other commercial entity or
   16  third-party agent that acquires, maintains, stores, or uses
   17  personal information is not liable in connection with a
   18  cybersecurity incident if the entity substantially complies with
   19  s. 501.171, if applicable, and has:
   20         (a)Adopted a cybersecurity program that substantially
   21  aligns with the current version of any standards, guidelines, or
   22  regulations that implement any of the following:
   23         1.The National Institute of Standards and Technology
   24  (NIST) Framework for Improving Critical Infrastructure
   25  Cybersecurity.
   26         2.NIST special publication 800-171.
   27         3.NIST special publications 800-53 and 800-53A.
   28         4.The Federal Risk and Authorization Management Program
   29  security assessment framework.
   30         5.The Center for Internet Security (CIS) Critical Security
   31  Controls.
   32         6.The International Organization for
   33  Standardization/International Electrotechnical Commission 27000
   34  series (ISO/IEC 27000) family of standards; or
   35         (b)If regulated by the state or Federal Government, or
   36  both, or if otherwise subject to the requirements of any of the
   37  following laws and regulations, substantially aligned its
   38  cybersecurity program to the current version of the following,
   39  as applicable:
   40         1.The Health Insurance Portability and Accountability Act
   41  of 1996 security requirements in 45 C.F.R. part 160 and part 164
   42  subparts A and C.
   43         2.Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L.
   44  No. 106-102, as amended.
   45         3.The Federal Information Security Modernization Act of
   46  2014, Pub. L. No. 113-283.
   47         4.The Health Information Technology for Economic and
   48  Clinical Health Act requirements in 45 C.F.R. parts 160 and 164.
   49         (3)The scale and scope of substantial alignment with a
   50  standard, law, or regulation under paragraph (2)(a) or paragraph
   51  (2)(b) by a covered entity or third-party agent, as applicable,
   52  is appropriate if it is based on all of the following factors:
   53         (a)The size and complexity of the covered entity or third
   54  party agent.
   55         (b)The nature and scope of the activities of the covered
   56  entity or third-party agent.
   57         (c)The sensitivity of the information to be protected.
   58         (4)Any commercial entity or third-party agent covered by
   59  subsection (2) that substantially complies with a combination of
   60  industry-recognized cybersecurity frameworks or standards to
   61  gain the presumption against liability pursuant to subsection
   62  (2) must, upon the revision of two or more of the frameworks or
   63  standards with which the entity complies, adopt the revised
   64  frameworks or standards within 1 year after the latest
   65  publication date stated in the revisions and, if applicable,
   66  comply with the Payment Card Industry Data Security Standard
   67  (PCI DSS).
   68         (5)This section does not establish a private cause of
   69  action. Failure of a county, municipality, other political
   70  subdivision of the state, or commercial entity to substantially
   71  implement a cybersecurity program that is in compliance with
   72  this section is not evidence of negligence and does not
   73  constitute negligence per se.
   74         (6)In an action in connection with a cybersecurity
   75  incident, if the defendant is an entity covered by subsection
   76  (1) or subsection (2), the defendant has the burden of proof to
   77  establish substantial compliance.
   78         Section 2. This act shall take effect upon becoming a law.
   80  ================= T I T L E  A M E N D M E N T ================
   81  And the title is amended as follows:
   82         Delete everything before the enacting clause
   83  and insert:
   84                        A bill to be entitled                      
   85         An act relating to cybersecurity incident liability;
   86         creating s. 768.401, F.S.; providing that a county,
   87         municipality, other political subdivision of the
   88         state, commercial entity, or third-party agent that
   89         complies with certain requirements is not liable in
   90         connection with a cybersecurity incident; requiring
   91         certain entities to adopt certain revised frameworks
   92         or standards within a specified time period; providing
   93         that a private cause of action is not established;
   94         providing that certain failures are not evidence of
   95         negligence and do not constitute negligence per se;
   96         specifying that the defendant in certain actions has a
   97         certain burden of proof; providing an effective date.