Read the full stored bill text
CS/HB 635 2026
CODING: Words stricken are deletions; words underlined are additions.
hb635-01-c1
Page 1 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to cybersecurity standards and 2
liability; amending s. 282.3185, F.S.; prohibiting 3
local governments from imposing certain cybersecurity 4
standards or processes on vendors; providing an 5
exception; defining the term "vendor"; prohibiting 6
local governments from adopting or enforcing certain 7
cybersecurity standards or processes; creating s. 8
768.401, F.S.; providing definitions; providing that a 9
local government, a covered entity, or a third-party 10
agent that complies with certain requirements is not 11
liable in connection with a cybersecurity incident 12
under certain circumstances; requiring covered 13
entities and third-party agents to implement revised 14
frameworks, standards, laws, or regulations within a 15
specified time period; providing that a private cause 16
of action is not established; providing that the fact 17
that a specified defendant could have obtained a 18
liability shield or a presumption against liability is 19
not admissible as evidence of negligence, does not 20
constitute negligence per se, and may not be used as 21
evidence of fault; specifying that the defendant in 22
certain actions has a certain burden of proof; 23
providing applicability; providing a directive to the 24
Division of Law Revision; providing an effective date. 25
CS/HB 635 2026
CODING: Words stricken are deletions; words underlined are additions.
hb635-01-c1
Page 2 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
26
Be It Enacted by the Legislature of the State of Florida: 27
28
Section 1. Paragraph (a) of subsection (4) of section 29
282.3185, Florida Statutes, is amended to read: 30
282.3185 Local government cybersecurity.— 31
(4) CYBERSECURITY STANDARDS.— 32
(a)1. Each local government shall adopt cybersecurity 33
standards that safeguard its data, information technology, and 34
information technology resources to ensure availability, 35
confidentiality, and integrity. The cybersecurity standards must 36
be consistent with generally accepted best practices for 37
cybersecurity, including the National Institute of Standards and 38
Technology Cybersecurity Framework. 39
2. A local government may not impose cybersecurity 40
standards or processes on a vendor that exceed the standards or 41
processes established under this paragraph, except as necessary 42
to comply with state or federal laws, or with industry-specific 43
requirements applicable to regulated sectors. For purposes of 44
this paragraph, the term "vendor" means a sole proprietorship, 45
partnership, corporation, trust, estate, cooperative, 46
association, or other commercial entity that contracts with a 47
local government to provide information technology commodities 48
or services. 49
3. A local government may not adopt or enforce any 50
CS/HB 635 2026
CODING: Words stricken are deletions; words underlined are additions.
hb635-01-c1
Page 3 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
cybersecurity standards or processes that are inconsistent with 51
this paragraph for contracts entered into or amended on or after 52
July 1, 2026. 53
Section 2. Section 768.401, Florida Statutes, is created 54
to read: 55
768.401 Limitation on liability for cybersecurity 56
incidents.— 57
(1) As used in this section, the term: 58
(a) "Covered entity" means a sole proprietorship, 59
partnership, corporation, trust, estate, cooperative, 60
association, or other commercial entity. 61
(b) "Cybersecurity standards or frameworks" means one or 62
more of the following: 63
1. The National Institute of Standards and Technology 64
(NIST) Cybersecurity Framework 2.0; 65
2. NIST special publication 800-171; 66
3. NIST special publications 800-53 and 800-53A; 67
4. The Federal Risk and Authorization Management Program 68
security assessment framework; 69
5. The Center for Internet Security (CIS) Critical 70
Security Controls; 71
6. The International Organization for 72
Standardization/International Electrotechnical Commission 27000 73
series (ISO/IEC 27000) family of standards; 74
7. HITRUST Common Security Framework (CSF); 75
CS/HB 635 2026
CODING: Words stricken are deletions; words underlined are additions.
hb635-01-c1
Page 4 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
8. Service Organization Control Type 2 Framework (SOC 2); 76
9. Secure Controls Framework; or 77
10. Other similar industry frameworks or standards. 78
(c) "Disaster recovery" has the same meaning as in s. 79
282.0041. 80
(d) "Local government" means a county, municipality, or 81
other political subdivision of this state. 82
(e) "Personal information" has the same meaning as in s. 83
501.171(1). 84
(f) "Third-party agent" means an entity that has been 85
contracted to maintain, store, or process personal information 86
on behalf of a covered entity. 87
(2) A local government is not liable in connection with a 88
cybersecurity incident if the local government has implemented 89
one or more policies that substantially comply with 90
cybersecurity standards or align with cybersecurity frameworks, 91
disaster recovery plans for cybersecurity incidents, and multi-92
factor authentication. 93
(3) A covered entity or third-party agent that acquires, 94
maintains, stores, processes, or uses personal information has a 95
presumption against liability in a class action resulting from a 96
cybersecurity incident if the covered entity or third-party 97
agent has a cybersecurity program that does all of the 98
following, as applicable: 99
(a) Substantially complies with s. 501.171(3)-(6), as 100
CS/HB 635 2026
CODING: Words stricken are deletions; words underlined are additions.
hb635-01-c1
Page 5 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
applicable. 101
(b) Has implemented: 102
1. One or more policies that substantially comply with 103
cybersecurity standards or align with cybersecurity frameworks, 104
a disaster recovery plan for cybersecurity incidents, and multi-105
factor authentication; or 106
2. If regulated by the state or Federal Government, or 107
both, or if otherwise subject to the requirements of any of the 108
following laws and regulations, a cybersecurity program that 109
substantially complies with the current version of such laws and 110
regulations, as applicable: 111
a. The Health Insurance Portability and Accountability Act 112
of 1996 security requirements in 45 C.F.R. part 160 and part 164 113
subparts A and C. 114
b. Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. 115
No. 106-102, as amended, and its implementing regulations. 116
c. The Federal Information Security Modernization Act of 117
2014, Pub. L. No. 113-283. 118
d. The Health Information Technology for Economic and 119
Clinical Health Act requirements in 45 C.F.R. parts 160 and 164. 120
e. The Criminal Justice Information Services (CJIS) 121
Security Policy. 122
f. Other similar requirements mandated by state or federal 123
laws or regulations. 124
(4) A covered entity's or third-party agent's 125
CS/HB 635 2026
CODING: Words stricken are deletions; words underlined are additions.
hb635-01-c1
Page 6 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
cybersecurity program's compliance with paragraph (3)(b) may be 126
demonstrated by providing documentation or other evidence of an 127
assessment, conducted internally or by a third-party, reflecting 128
that the covered entity's or third-party agent's cybersecurity 129
program has implemented the requirements of that paragraph. 130
(5) Any covered entity or third-party agent must update 131
its cybersecurity program to incorporate any revisions of 132
relevant frameworks or standards or of applicable state or 133
federal laws or regulations within 1 year after the latest 134
publication date stated in any such revisions in order to retain 135
protection from liability. 136
(6) This section does not establish a private cause of 137
action. 138
(7) If a civil action is filed against a local government, 139
covered entity, or third-party agent that failed to implement a 140
cybersecurity program in compliance with this section, the fact 141
that such defendant could have obtained a liability shield or 142
presumption against liability upon compliance is not admissible 143
as evidence of negligence, does not constitute negligence per 144
se, and may not be used as evidence of fault under any other 145
theory of liability. 146
(8) In a civil action relating to a cybersecurity 147
incident, if the defendant is a local government covered by 148
subsection (2) or a covered entity or third-party agent covered 149
by subsection (3), the defendant has the burden of proof to 150
CS/HB 635 2026
CODING: Words stricken are deletions; words underlined are additions.
hb635-01-c1
Page 7 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
establish substantial compliance with this section. 151
(9) This section applies to any putative class action 152
filed before, on, or after the effective date of this act. 153
Section 3. The Division of Law Revision is directed to 154
replace the phrase "the effective date of this act" wherever it 155
occurs in this act with the date this act becomes a law. 156
Section 4. This act shall take effect upon becoming a law. 157