Read the full stored bill text
Florida Senate
-
2026
CS for SB 692
By
the Committee on Governmental Oversight and Accountability;
and Senator Leek
585-02205-26 2026692c1
1 A bill to be entitled
2 An act relating to cybersecurity standards and
3 liability; amending s. 282.3185, F.S.; prohibiting
4 local governments from imposing certain cybersecurity
5 standards or processes on vendors; defining the term
6 “vendor”; prohibiting local governments from adopting
7 or enforcing certain cybersecurity standards or
8 processes; creating s. 768.401, F.S.; defining terms;
9 providing that a local government, a covered entity,
10 or a third-party agent that complies with certain
11 requirements is not liable in connection with a
12 cybersecurity incident under certain circumstances;
13 requiring covered entities and third-party agents to
14 implement revised frameworks, standards, laws, or
15 regulations within a specified timeframe in order to
16 retain protection from liability; providing that a
17 private cause of action is not established; providing
18 that the fact that a specified defendant could have
19 obtained a liability shield or a presumption against
20 liability is not admissible as evidence of negligence,
21 does not constitute negligence per se, and may not be
22 used as evidence of fault; specifying that the
23 defendant in certain actions has a certain burden of
24 proof; providing applicability; providing a directive
25 to the Division of Law Revision; providing an
26 effective date.
27
28 Be It Enacted by the Legislature of the State of Florida:
29
30 Section 1. Paragraph (a) of subsection (4) of section
31 282.3185, Florida Statutes, is amended to read:
32 282.3185 Local government cybersecurity.—
33 (4) CYBERSECURITY STANDARDS.—
34 (a)
1.
Each local government shall adopt cybersecurity
35 standards that safeguard its data, information technology, and
36 information technology resources to ensure availability,
37 confidentiality, and integrity. The cybersecurity standards must
38 be consistent with generally accepted best practices for
39 cybersecurity, including the National Institute of Standards and
40 Technology Cybersecurity Framework.
41
2. A local government may not impose cybersecurity
42
standards or processes on a vendor which exceed the standards or
43
processes established under this paragraph, except as necessary
44
to comply with state or federal laws, or with industry-specific
45
requirements applicable to regulated sectors. For purposes of
46
this paragraph, “vendor” means a sole proprietorship,
47
partnership, corporation, trust, estate, cooperative,
48
association, or other commercial entity that contracts with a
49
local government to provide information technology commodities
50
or services.
51
3. A local government may not adopt or enforce any
52
cybersecurity standards or processes that are inconsistent with
53
this paragraph for contracts entered into or amended on or after
54
July 1, 2026.
55 Section 2. Section 768.401, Florida Statutes, is created to
56 read:
57
768.401
Limitation on liability for cybersecurity
58
incidents.—
59
(1)
As used in this section, the term:
60
(a)
“Covered entity” means a sole proprietorship,
61
partnership, corporation, trust, estate, cooperative,
62
association, or other commercial entity.
63
(b)
“Cybersecurity standards or frameworks” means one or
64
more of the following:
65
1.
The National Institute of Standards and Technology
66
(NIST) Cybersecurity Framework 2.0;
67
2.
NIST special publication 800-171;
68
3.
NIST special publications 800-53 and 800-53A;
69
4.
The Federal Risk and Authorization Management Program
70
security assessment framework;
71
5.
The Center for Internet Security (CIS) Critical Security
72
Controls;
73
6.
The International Organization for
74
Standardization/International Electrotechnical Commission 27000
75
series (ISO/IEC 27000) family of standards;
76
7.
HITRUST Common Security Framework (CSF);
77
8.
Service Organization Control Type 2 Framework (SOC 2);
78
9.
Secure Controls Framework; or
79
10.
Other similar industry frameworks or standards.
80
(c)
“Disaster recovery” has the same meaning as in s.
81
282.0041.
82
(d)
“Local government” means a county, a municipality, or
83
other political subdivision of this state.
84
(e)
“Personal information” has the same meaning as in s.
85
501.171.
86
(f)
“Third-party agent” means an entity that has been
87
contracted to maintain, store, or process personal information
88
on behalf of a covered entity.
89
(2)
A local government is not liable in connection with a
90
cybersecurity incident if the local government has implemented
91
one or more policies that substantially comply with
92
cybersecurity standards or align with cybersecurity frameworks,
93
disaster recovery plans for cybersecurity incidents, and multi
94
factor authentication.
95
(3)
A covered entity or a third-party agent that acquires,
96
maintains, stores, processes, or uses personal information has a
97
presumption against liability in a class action resulting from a
98
cybersecurity incident if the covered entity or the third-party
99
agent has a cybersecurity program that does all of the
100
following, as applicable:
101
(a)
Substantially complies with s. 501.171(3)-(6), as
102
applicable.
103
(b)
Has implemented:
104
1. One or more policies that substantially comply with
105
cybersecurity standards or align with cybersecurity frameworks,
106
a disaster recovery plan for cybersecurity incidents, and multi
107
factor authentication; or
108
2.
If regulated by the state or Federal Government, or
109
both, or if otherwise subject to the requirements of any of the
110
following laws and regulations, a cybersecurity program that
111
substantially complies with the current version of such laws and
112
regulations, as applicable:
113
a.
The Health Insurance Portability and Accountability Act
114
of 1996 security requirements in 45 C.F.R. part 160 and part 164
115
subparts A and C.
116
b.
Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L.
117
No. 106-102, as amended, and its implementing regulations.
118
c.
The Federal Information Security Modernization Act of
119
2014, Pub. L. No. 113-283.
120
d.
The Health Information Technology for Economic and
121
Clinical Health Act requirements in 45 C.F.R. parts 160 and 164.
122
e.
The Criminal Justice Information Services (CJIS)
123
Security Policy.
124
f.
Other similar requirements mandated by state or federal
125
laws or regulations.
126
(4)
A covered entity’s or a third-party agent’s
127
cybersecurity program’s compliance with paragraph (3)(b) may be
128
demonstrated by providing documentation or other evidence of an
129
assessment, conducted internally or by a third-party, reflecting
130
that the covered entity’s or third-party agent’s cybersecurity
131
program has implemented the requirements of that paragraph.
132
(5)
A covered entity or a third-party agent must update its
133
cybersecurity program to incorporate any revisions of relevant
134
frameworks or standards or of applicable state or federal laws
135
or regulations within 1 year after the latest publication date
136
stated in any such revisions in order to retain protection from
137
liability.
138
(6)
This section does not establish a private cause of
139
action.
140
(7)
If a civil action is filed against a local government,
141
a covered entity, or a third-party agent that failed to
142
implement a cybersecurity program in compliance with this
143
section, the fact that such defendant could have obtained a
144
liability shield or presumption against liability upon
145
compliance is not admissible as evidence of negligence, does not
146
constitute negligence per se, and may not be used as evidence of
147
fault under any other theory of liability.
148
(8)
In a civil action relating to a cybersecurity incident,
149
if the defendant is a local government covered by subsection (2)
150
or a covered entity or third-party agent covered by subsection
151
(3), the defendant has the burden of proof to establish
152
substantial compliance with this section.
153
(9)
This section applies to any putative class action filed
154
before, on, or after the effective date of this act.
155 Section 3.
The Division of Law Revision is directed to
156
replace the phrase “the effective date of this act” wherever it
157
occurs in this act with the date this act becomes a law.
158 Section 4. This act shall take effect upon becoming a law.