Florida Senate - 2026 CS for SB 692
By the Committee on Governmental Oversight and Accountability;
and Senator Leek
585-02205-26 2026692c1
1 A bill to be entitled
2 An act relating to cybersecurity standards and
3 liability; amending s. 282.3185, F.S.; prohibiting
4 local governments from imposing certain cybersecurity
5 standards or processes on vendors; defining the term
6 “vendor”; prohibiting local governments from adopting
7 or enforcing certain cybersecurity standards or
8 processes; creating s. 768.401, F.S.; defining terms;
9 providing that a local government, a covered entity,
10 or a third-party agent that complies with certain
11 requirements is not liable in connection with a
12 cybersecurity incident under certain circumstances;
13 requiring covered entities and third-party agents to
14 implement revised frameworks, standards, laws, or
15 regulations within a specified timeframe in order to
16 retain protection from liability; providing that a
17 private cause of action is not established; providing
18 that the fact that a specified defendant could have
19 obtained a liability shield or a presumption against
20 liability is not admissible as evidence of negligence,
21 does not constitute negligence per se, and may not be
22 used as evidence of fault; specifying that the
23 defendant in certain actions has a certain burden of
24 proof; providing applicability; providing a directive
25 to the Division of Law Revision; providing an
26 effective date.
27
28 Be It Enacted by the Legislature of the State of Florida:
29
30 Section 1. Paragraph (a) of subsection (4) of section
31 282.3185, Florida Statutes, is amended to read:
32 282.3185 Local government cybersecurity.—
33 (4) CYBERSECURITY STANDARDS.—
34 (a)1. Each local government shall adopt cybersecurity
35 standards that safeguard its data, information technology, and
36 information technology resources to ensure availability,
37 confidentiality, and integrity. The cybersecurity standards must
38 be consistent with generally accepted best practices for
39 cybersecurity, including the National Institute of Standards and
40 Technology Cybersecurity Framework.
41 2. A local government may not impose cybersecurity
42 standards or processes on a vendor which exceed the standards or
43 processes established under this paragraph, except as necessary
44 to comply with state or federal laws, or with industry-specific
45 requirements applicable to regulated sectors. For purposes of
46 this paragraph, “vendor” means a sole proprietorship,
47 partnership, corporation, trust, estate, cooperative,
48 association, or other commercial entity that contracts with a
49 local government to provide information technology commodities
50 or services.
51 3. A local government may not adopt or enforce any
52 cybersecurity standards or processes that are inconsistent with
53 this paragraph for contracts entered into or amended on or after
54 July 1, 2026.
55 Section 2. Section 768.401, Florida Statutes, is created to
56 read:
57 768.401 Limitation on liability for cybersecurity
58 incidents.—
59 (1) As used in this section, the term:
60 (a) “Covered entity” means a sole proprietorship,
61 partnership, corporation, trust, estate, cooperative,
62 association, or other commercial entity.
63 (b) “Cybersecurity standards or frameworks” means one or
64 more of the following:
65 1. The National Institute of Standards and Technology
66 (NIST) Cybersecurity Framework 2.0;
67 2. NIST special publication 800-171;
68 3. NIST special publications 800-53 and 800-53A;
69 4. The Federal Risk and Authorization Management Program
70 security assessment framework;
71 5. The Center for Internet Security (CIS) Critical Security
72 Controls;
73 6. The International Organization for
74 Standardization/International Electrotechnical Commission 27000
75 series (ISO/IEC 27000) family of standards;
76 7. HITRUST Common Security Framework (CSF);
77 8. Service Organization Control Type 2 Framework (SOC 2);
78 9. Secure Controls Framework; or
79 10. Other similar industry frameworks or standards.
80 (c) “Disaster recovery” has the same meaning as in s.
81 282.0041.
82 (d) “Local government” means a county, a municipality, or
83 other political subdivision of this state.
84 (e) “Personal information” has the same meaning as in s.
85 501.171.
86 (f) “Third-party agent” means an entity that has been
87 contracted to maintain, store, or process personal information
88 on behalf of a covered entity.
89 (2) A local government is not liable in connection with a
90 cybersecurity incident if the local government has implemented
91 one or more policies that substantially comply with
92 cybersecurity standards or align with cybersecurity frameworks,
93 disaster recovery plans for cybersecurity incidents, and multi
94 factor authentication.
95 (3) A covered entity or a third-party agent that acquires,
96 maintains, stores, processes, or uses personal information has a
97 presumption against liability in a class action resulting from a
98 cybersecurity incident if the covered entity or the third-party
99 agent has a cybersecurity program that does all of the
100 following, as applicable:
101 (a) Substantially complies with s. 501.171(3)-(6), as
102 applicable.
103 (b) Has implemented:
104 1. One or more policies that substantially comply with
105 cybersecurity standards or align with cybersecurity frameworks,
106 a disaster recovery plan for cybersecurity incidents, and multi
107 factor authentication; or
108 2. If regulated by the state or Federal Government, or
109 both, or if otherwise subject to the requirements of any of the
110 following laws and regulations, a cybersecurity program that
111 substantially complies with the current version of such laws and
112 regulations, as applicable:
113 a. The Health Insurance Portability and Accountability Act
114 of 1996 security requirements in 45 C.F.R. part 160 and part 164
115 subparts A and C.
116 b. Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L.
117 No. 106-102, as amended, and its implementing regulations.
118 c. The Federal Information Security Modernization Act of
119 2014, Pub. L. No. 113-283.
120 d. The Health Information Technology for Economic and
121 Clinical Health Act requirements in 45 C.F.R. parts 160 and 164.
122 e. The Criminal Justice Information Services (CJIS)
123 Security Policy.
124 f. Other similar requirements mandated by state or federal
125 laws or regulations.
126 (4) A covered entity’s or a third-party agent’s
127 cybersecurity program’s compliance with paragraph (3)(b) may be
128 demonstrated by providing documentation or other evidence of an
129 assessment, conducted internally or by a third-party, reflecting
130 that the covered entity’s or third-party agent’s cybersecurity
131 program has implemented the requirements of that paragraph.
132 (5) A covered entity or a third-party agent must update its
133 cybersecurity program to incorporate any revisions of relevant
134 frameworks or standards or of applicable state or federal laws
135 or regulations within 1 year after the latest publication date
136 stated in any such revisions in order to retain protection from
137 liability.
138 (6) This section does not establish a private cause of
139 action.
140 (7) If a civil action is filed against a local government,
141 a covered entity, or a third-party agent that failed to
142 implement a cybersecurity program in compliance with this
143 section, the fact that such defendant could have obtained a
144 liability shield or presumption against liability upon
145 compliance is not admissible as evidence of negligence, does not
146 constitute negligence per se, and may not be used as evidence of
147 fault under any other theory of liability.
148 (8) In a civil action relating to a cybersecurity incident,
149 if the defendant is a local government covered by subsection (2)
150 or a covered entity or third-party agent covered by subsection
151 (3), the defendant has the burden of proof to establish
152 substantial compliance with this section.
153 (9) This section applies to any putative class action filed
154 before, on, or after the effective date of this act.
155 Section 3. The Division of Law Revision is directed to
156 replace the phrase “the effective date of this act” wherever it
157 occurs in this act with the date this act becomes a law.
158 Section 4. This act shall take effect upon becoming a law.