Back to Florida

SB0692 • 2026

Cybersecurity Standards and Liability

Cybersecurity Standards and Liability

Technology
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Leek
Last action
2026-03-13
Official status
Senate - Died in Appropriations
Effective date
Upon becom

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Cybersecurity Standards and Liability

Cybersecurity Standards and Liability; Prohibiting local governments from imposing certain cybersecurity standards or processes on vendors; providing that a local government, a covered entity, or a third-party agent that complies with certain requirements is not liable in connection with a cybersecurity incident under certain circumstances; requiring covered entities and third-party agents to implement revised frameworks, standards, laws, or regulations within a specified timeframe in order to retain protection from liability, etc.

What This Bill Does

  • Cybersecurity Standards and Liability; Prohibiting local governments from imposing certain cybersecurity standards or processes on vendors; providing that a local government, a covered entity, or a third-party agent that complies with certain requirements is not liable in connection with a cybersecurity incident under certain circumstances; requiring covered entities and third-party agents to implement revised frameworks, standards, laws, or regulations within a specified timeframe in order to retain protection from liability, etc.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Amendments

These notes stay tied to the official amendment files and metadata from the legislature.

434400

Committee amendment S 692 Filed • Governmental Oversight and Accountability (Leek)

Replaced by Committee Substitute 1/26/2026

Plain English: Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.

  • Florida Senate - 2026 COMMITTEE AMENDMENT Bill No.
  • SB 692 Ì434400bÎ434400 LEGISLATIVE ACTION Senate .
  • House Comm: RCS .
  • 01/26/2026 .

Bill History

  1. 2026-03-13 Senate

    • Died in Appropriations

  2. 2026-02-11 Senate

    • Now in Appropriations

  3. 2026-02-10 Senate

    • Favorable by Judiciary; YEAS 9 NAYS 2

  4. 2026-02-05 Senate

    • On Committee agenda-- Judiciary, 02/10/26, 12:00 pm, 110 Senate Building

  5. 2026-01-29 Senate

    • CS by Governmental Oversight and Accountability read 1st time

  6. 2026-01-28 Senate

    • Now in Judiciary

  7. 2026-01-27 Senate

    • Pending reference review under Rule 4.7(2) - (Committee Substitute)

  8. 2026-01-26 Senate

    • CS by Governmental Oversight and Accountability; YEAS 5 NAYS 4

  9. 2026-01-21 Senate

    • On Committee agenda-- Governmental Oversight and Accountability, 01/26/26, 3:30 pm, 110 Senate Building

  10. 2026-01-13 Senate

    • Introduced

  11. 2025-12-16 Senate

    • Referred to Governmental Oversight and Accountability; Judiciary; Appropriations

  12. 2025-12-02 Senate

    • Filed

Official Summary Text

Cybersecurity Standards and Liability; Prohibiting local governments from imposing certain cybersecurity standards or processes on vendors; providing that a local government, a covered entity, or a third-party agent that complies with certain requirements is not liable in connection with a cybersecurity incident under certain circumstances; requiring covered entities and third-party agents to implement revised frameworks, standards, laws, or regulations within a specified timeframe in order to retain protection from liability, etc.

Current Bill Text

Read the full stored bill text
Florida Senate
-
2026

CS for SB 692

By
the Committee on Governmental Oversight and Accountability;
and Senator Leek

585-02205-26 2026692c1
1 A bill to be entitled
2 An act relating to cybersecurity standards and
3 liability; amending s. 282.3185, F.S.; prohibiting
4 local governments from imposing certain cybersecurity
5 standards or processes on vendors; defining the term
6 “vendor”; prohibiting local governments from adopting
7 or enforcing certain cybersecurity standards or
8 processes; creating s. 768.401, F.S.; defining terms;
9 providing that a local government, a covered entity,
10 or a third-party agent that complies with certain
11 requirements is not liable in connection with a
12 cybersecurity incident under certain circumstances;
13 requiring covered entities and third-party agents to
14 implement revised frameworks, standards, laws, or
15 regulations within a specified timeframe in order to
16 retain protection from liability; providing that a
17 private cause of action is not established; providing
18 that the fact that a specified defendant could have
19 obtained a liability shield or a presumption against
20 liability is not admissible as evidence of negligence,
21 does not constitute negligence per se, and may not be
22 used as evidence of fault; specifying that the
23 defendant in certain actions has a certain burden of
24 proof; providing applicability; providing a directive
25 to the Division of Law Revision; providing an
26 effective date.
27
28 Be It Enacted by the Legislature of the State of Florida:
29
30 Section 1. Paragraph (a) of subsection (4) of section
31 282.3185, Florida Statutes, is amended to read:
32 282.3185 Local government cybersecurity.—
33 (4) CYBERSECURITY STANDARDS.—
34 (a)
1.
Each local government shall adopt cybersecurity
35 standards that safeguard its data, information technology, and
36 information technology resources to ensure availability,
37 confidentiality, and integrity. The cybersecurity standards must
38 be consistent with generally accepted best practices for
39 cybersecurity, including the National Institute of Standards and
40 Technology Cybersecurity Framework.
41
2. A local government may not impose cybersecurity

42
standards or processes on a vendor which exceed the standards or

43
processes established under this paragraph, except as necessary

44
to comply with state or federal laws, or with industry-specific

45
requirements applicable to regulated sectors. For purposes of

46
this paragraph, “vendor” means a sole proprietorship,

47
partnership, corporation, trust, estate, cooperative,

48
association, or other commercial entity that contracts with a

49
local government to provide information technology commodities

50
or services.

51
3. A local government may not adopt or enforce any

52
cybersecurity standards or processes that are inconsistent with

53
this paragraph for contracts entered into or amended on or after

54
July 1, 2026.

55 Section 2. Section 768.401, Florida Statutes, is created to
56 read:
57
768.401

Limitation on liability for cybersecurity

58
incidents.—

59
(1)

As used in this section, the term:

60
(a)

“Covered entity” means a sole proprietorship,

61
partnership, corporation, trust, estate, cooperative,

62
association, or other commercial entity.

63
(b)

“Cybersecurity standards or frameworks” means one or

64
more of the following:

65
1.

The National Institute of Standards and Technology

66
(NIST) Cybersecurity Framework 2.0;

67
2.

NIST special publication 800-171;

68
3.

NIST special publications 800-53 and 800-53A;

69
4.

The Federal Risk and Authorization Management Program

70
security assessment framework;

71
5.

The Center for Internet Security (CIS) Critical Security

72
Controls;

73
6.

The International Organization for

74
Standardization/International Electrotechnical Commission 27000

75
series (ISO/IEC 27000) family of standards;

76
7.

HITRUST Common Security Framework (CSF);

77
8.

Service Organization Control Type 2 Framework (SOC 2);

78
9.

Secure Controls Framework; or

79
10.

Other similar industry frameworks or standards.

80
(c)

“Disaster recovery” has the same meaning as in s.

81
282.0041.

82
(d)

“Local government” means a county, a municipality, or

83
other political subdivision of this state.

84
(e)

“Personal information” has the same meaning as in s.

85
501.171.

86
(f)

“Third-party agent” means an entity that has been

87
contracted to maintain, store, or process personal information

88
on behalf of a covered entity.

89
(2)

A local government is not liable in connection with a

90
cybersecurity incident if the local government has implemented

91
one or more policies that substantially comply with

92
cybersecurity standards or align with cybersecurity frameworks,

93
disaster recovery plans for cybersecurity incidents, and multi

94
factor authentication.

95
(3)

A covered entity or a third-party agent that acquires,

96
maintains, stores, processes, or uses personal information has a

97
presumption against liability in a class action resulting from a

98
cybersecurity incident if the covered entity or the third-party

99
agent has a cybersecurity program that does all of the

100
following, as applicable:

101
(a)

Substantially complies with s. 501.171(3)-(6), as

102
applicable.

103
(b)

Has implemented:

104
1. One or more policies that substantially comply with

105
cybersecurity standards or align with cybersecurity frameworks,

106
a disaster recovery plan for cybersecurity incidents, and multi

107
factor authentication; or

108
2.

If regulated by the state or Federal Government, or

109
both, or if otherwise subject to the requirements of any of the

110
following laws and regulations, a cybersecurity program that

111
substantially complies with the current version of such laws and

112
regulations, as applicable:

113
a.

The Health Insurance Portability and Accountability Act

114
of 1996 security requirements in 45 C.F.R. part 160 and part 164

115
subparts A and C.

116
b.

Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L.

117
No. 106-102, as amended, and its implementing regulations.

118
c.

The Federal Information Security Modernization Act of

119
2014, Pub. L. No. 113-283.

120
d.

The Health Information Technology for Economic and

121
Clinical Health Act requirements in 45 C.F.R. parts 160 and 164.

122
e.

The Criminal Justice Information Services (CJIS)

123
Security Policy.

124
f.

Other similar requirements mandated by state or federal

125
laws or regulations.

126
(4)

A covered entity’s or a third-party agent’s

127
cybersecurity program’s compliance with paragraph (3)(b) may be

128
demonstrated by providing documentation or other evidence of an

129
assessment, conducted internally or by a third-party, reflecting

130
that the covered entity’s or third-party agent’s cybersecurity

131
program has implemented the requirements of that paragraph.

132
(5)

A covered entity or a third-party agent must update its

133
cybersecurity program to incorporate any revisions of relevant

134
frameworks or standards or of applicable state or federal laws

135
or regulations within 1 year after the latest publication date

136
stated in any such revisions in order to retain protection from

137
liability.

138
(6)

This section does not establish a private cause of

139
action.

140
(7)

If a civil action is filed against a local government,

141
a covered entity, or a third-party agent that failed to

142
implement a cybersecurity program in compliance with this

143
section, the fact that such defendant could have obtained a

144
liability shield or presumption against liability upon

145
compliance is not admissible as evidence of negligence, does not

146
constitute negligence per se, and may not be used as evidence of

147
fault under any other theory of liability.

148
(8)

In a civil action relating to a cybersecurity incident,

149
if the defendant is a local government covered by subsection (2)

150
or a covered entity or third-party agent covered by subsection

151
(3), the defendant has the burden of proof to establish

152
substantial compliance with this section.

153
(9)

This section applies to any putative class action filed

154
before, on, or after the effective date of this act.

155 Section 3.
The Division of Law Revision is directed to

156
replace the phrase “the effective date of this act” wherever it

157
occurs in this act with the date this act becomes a law.

158 Section 4. This act shall take effect upon becoming a law.