HOUSE OF REPRESENTATIVES STAFF ANALYSIS
BILL #: CS/CS/HB 473 Cybersecurity Incident Liability
SPONSOR(S): Judiciary Committee, Commerce Committee, Giallombardo and others
TIED BILLS: IDEN./SIM. BILLS: CS/SB 658
REFERENCE ACTION ANALYST STAFF DIRECTOR or
BUDGET/POLICY CHIEF
1) Judiciary Committee 18 Y, 3 N, As CS Leshko Kramer
SUMMARY ANALYSIS
Section 282.3185, F.S., requires counties and municipalities (referred to as local governments in this section)
to implement, adopt, and comply with cybersecurity training, standards, and incident notification protocols.
Local governments are required to adopt cybersecurity standards that safeguard the local governm ent’s data,
information technology, and information technology resources to ensure availability, confidentiality, and
integrity. The standards must be consistent with generally accepted best practices for cybersecurity, including
the National Institute for Standards and Technology (NIST) Cybersecurity Framework.
NIST is a non-regulatory federal agency housed within the United States Department of Commerce, whose
role is to facilitate and support the development of cybersecurity risk frameworks. NIST is charged with
providing a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including
information security measures and controls that may be voluntarily adopted by owners and operators of critical
infrastructure to help them identify, assess, and manage cyber risks. While the NIST Cybersecurity Framework
was developed with critical infrastructure in mind, it can also be used by organizations in any sector of the
economy or society.
Additionally, s. 501.171, F.S., requires covered entities, governmental entities, and third-party agents to comply
with specified notification protocols in the event of a breach of security affecting personal information.
CS/CS/HB 473 creates s. 768.401, F.S., to provide that a county or municipality that substantially complies
with the cybersecurity training, standards, and notification protocols under s. 282.3185, F.S., or any other
political subdivision of the state that complies with s. 282.3185, F.S., on a voluntary basis, is not liable in
connection with a cybersecurity incident.
The bill also provides that a covered entity or third-party agent, that acquires, maintains, stores, processes, or
uses personal information is not liable in connection with a cybersecurity incident if the covered entity or third-
party agent substantially complies with notice protocols as provided within s. 501.171, F.S., as applicable, and
has also adopted a cybersecurity program that substantially aligns with the current version of any standards,
guidelines, or regulations that implement any of the standards specified in the bill or with applicable state and
federal laws and regulations. The bill provides certain requirements for a covered entity or third-party agent to
retain its liability protection.
The bill does not establish a private cause of action. The bill further provides that the amendments made by
the bill apply to any suit filed on or after the effective date of the bill and to any putative class action not
certified on or before the effective date of the bill.
The bill does not affect state or local government revenues or expenditures.
The bill takes effect upon becoming law.
FULL ANALYSIS
This docum ent does not reflect the intent or official position of the bill sponsor or House of Representatives .
STORAGE NAME: h0473d.JDC
DATE: 2/21/2024
� I. SUBSTANTIVE ANALYSIS
A. EFFECT OF PROPOSED CHANGES:
Present Situation
Access to Courts
The Florida Constitution broadly protects the right to access the courts, which "shall be open to every
person for redress of any injury...."1 However, this constitutional right is not unlimited.
In Kluger v. White,2 the Supreme Court of Florida stated that it would not completely prohibit the
Legislature from altering a cause of action, but neither would it allow the Legislature "to destroy a
traditional and long-standing cause of action upon mere legislative whim...." The takeaway from Kluger
and other relevant case law is that the Legislature may:
Reduce the right to bring a cause of action as long as the right is not entirely abolished. 3
Abolish a cause of action that is not "traditional and long-standing"—that is, a cause of action
that did not exist at common law, and that did not exist in statute before the adoption of the
Florida Constitution's Declaration of Rights.4
Abolish a cause of action if the Legislature either:
o Provides a reasonable commensurate benefit in exchange; 5 or
o Shows an "overpowering public necessity for the abolishment of such right, and no
alternative method of meeting such public necessity can be shown." 6
Tort Liability and Negligence
A "tort" is a wrong for which the law provides a remedy. The purpose of tort law is to fairly compensate
a person harmed by another person’s wrongful acts, whether intentional, reckless, or negligent, through
a civil action or other comparable process. A properly-functioning tort system:
Provides a fair and equitable forum to resolve disputes;
Appropriately compensates legitimately harmed persons;
Shifts the loss to responsible parties;
Provides an incentive to prevent future harm; and
Deters undesirable behavior.7
"Negligence" is a legal term for a type of tort action that is unintentionally committed. In a negligence
action, the plaintiff is the party that brings the lawsuit, and the defendant is the party that defends
against it. To prevail in a negligence lawsuit, a plaintiff must demonstrate that the:
Defendant had a legal duty of care requiring the defendant to conform to a certain standard of
conduct for the protection of others, including the plaintiff, against unreasonable risks;
Defendant breached his or her duty of care by failing to conform to the required standard;
1 Art. I, s. 21, Fla. Const.
2
Kluger v. White, 281 So. 2d 1 (Fla. 1973).
3 See Achord v. Osceola Farms Co., 52 So. 3d 699 (Fla. 2010).
4 See Anderson v. Gannett Comp., 994 So. 2d 1048 (Fla. 2008) (false light was not actionable under the common law); McPhail v. Jenkins,
382 So. 2d 1329 (Fla. 1980) (wrongful death was not actionable under the common law); see also Kluger, 281 So. 2d at 4 ("We hold,
therefore, that where a right of access to the courts for redress for a particular injury has been provided by statutory law predating the
adoption of the Declaration of Rights of the Constitution of the State of Florida, or where such right has become a part of t he common
law of the State . . . the Legislature is without power to abolish such a right without providing a reasonable alternative . . . unless the
Legislature can show an overpowering public necessity . . . .").
5 Kluger, 281 So. 2d at 4; see Univ. of Miami v. Echarte, 618 So. 2d 189 (Fla. 1993) (upholding a statutory cap on medical malpractice
damages because the Legislature provided arbitration, which is a "commensurate benefit" for a claimant); accord Lasky v. State Farm
Ins. Co., 296 So. 2d 9 (Fla. 1974); b ut see Smith v. Dept. of Ins., 507 So. 2d 1080 (Fla. 1992) (striking down a noneconomic cap on
damages, which, while not wholly abolishing a cause of action, did not provide a commensurate benefit).
6 Kluger, 281 So. 2d at 4-5 (noting that in 1945, the Legislature abolished the right to sue for several causes of action, but successfully
demonstrated "the public necessity required for the total abolition of a right to sue") (citing Rotwein v. Gersten, 36 So. 2d 419 (Fla. 1948);
see Echarte, 618 So. 2d at 195 ("Even if the medical malpractice arbitration statutes at issue did not provide a commensurate benefit, we
would find that the statutes satisfy the second prong of Kluger which requires a legislative finding that an 'overpowering public necessity'
exists, and further that 'no alternative method of meeting such public necessity can be shown'").
7 Am. Jur. 2d Torts s. 2.
STORAGE NAME: h0473d.JDC PAGE: 2
DATE: 2/21/2024
� Defendant’s breach caused the plaintiff’s injury; and
Plaintiff suffered actual damage or loss resulting from his or her injury. 8
Courts distinguish varying degrees of civil negligence by using terms such as:
Slight The failure to exercise great care. This often applies to injuries
Negligence caused by common carriers charged with the duty to exercise the
highest degree of care toward their passengers.9
Ordinary The failure to exercise that degree of care which an ordinary prudent
Negligence person would exercise; or, in other words, a course of conduct which
a reasonable and prudent person would know might possibly result
in injury to others.10
Gross A course of conduct which a reasonable and prudent person knows
Negligence would probably and most likely result in injury to another.11 To prove
gross negligence, a plaintiff must usually show that the defendant
had knowledge or awareness of imminent danger to another and
acted or failed to act with a conscious disregard for the
consequences.12 Once proven, gross negligence may support a
punitive damage13 award.14
In Florida, before a court awards damages in a negligence action, the jury generally assigns a fault
percentage to each party under the comparative negligence rule. Florida applies 15 a "modified"
comparative negligence rule, which generally prohibits a plaintiff from recovering damages if the
plaintiff is more than 50 percent at fault for his or her own harm. 16
The Florida Rules of Civil Procedure generally require a plaintiff in a civil action to file a complaint and
require a defendant to file an answer to the complaint. 17 Florida is a "fact-pleading jurisdiction." This
means that a pleading setting forth a claim for relief, including a complaint, must generally state a
cause of action and contain a:
Short and plain statement of the grounds on which the court’s jurisdiction depends, unless the
court already has jurisdiction and the claim needs no new grounds to support it;
Short and plain statement of the ultimate facts 18 showing the pleader is entitled to relief; and
Demand for the relief to which the pleader believes he or she is entitled. 19
8
6 Florida Practice Series s. 1.1; see Barnett v. Dept. of Financial Services, 303 So. 3d 508 (Fla. 2020).
9 See Faircloth v. Hill, 85 So. 2d 870 (Fla. 1956); see also Holland America Cruises, Inc. v. Underwood, 470 So. 2d 19 (Fla. 2d DCA
1985); Werndli v. Greyhound Corp., 365 So. 2d 177 (Fla. 2d DCA 1978); 6 Florida Practice Series s. 1.2.
10 See De Wald v. Quarnstrom , 60 So. 2d 919 (Fla. 1952); see also Clements v. Deeb , 88 So. 2d 505 (Fla. 1956); 6 Florida Practice
Series s. 1.2.
11 See Clements, 88 So. 2d 505; 6 Florida Practice Series s. 1.2.
12
See Carraway v. Revell, 116 So. 2d 16 (Fla. 1959).
13 Punitive damages are awarded in addition to actual damages to punish a defendant for behavior considered especially harmful.
Florida generally caps punitive damage awards at $500,000 or triple the value of compensatory damages, whichever is grea ter, and
caps cases of intentional misconduct with a financial motivation at two million dollars or four times the amount of compensat ory
damages, whichever is greater. S. 768.73(1), F.S.
14
See Glaab v. Caudill, 236 So. 2d 180 (Fla. 2d DCA 1970); 6 Florida Practice Series s. 1.2; s. 768.72(2), F.S.
15 The comparative negligence standard does not apply to any action brought to recover economic damages from pollution, based on
an intentional tort, or to which the joint and several liability doctrines is specifically applied in ch. 403, 498, 517, 542, and 895, F.S. S.
768.81(4), F.S.
16 S. 768.81(6), F.S. This comparative negligence rule does not apply to an action for damages for personal injury or wrongful death
arising out of medical negligence pursuant to ch. 766, F.S.; therefore, a plaintiff who is more than fifty percent responsible for his or her
own damages may still recover a portion of damages in a medical negligence suit.
17 Fla. R. Civ. P. 1.100.
18 Ultimate facts are facts that must be accepted for a claim to prevail, usually inferred from a number of supporting evidentiary facts,
which themselves are facts making other facts more probable. See Legal Information Institute, Ultimate Fact,
https://www.law.cornell.edu/wex/ultimate_fact (last visited Jan. 18, 2024); see also Legal Information Institute, Evidentiary Facts,
https://www.law.cornell.edu/wex/evidentiary_fact (last visited Jan. 18, 2024).
19 See Goldschmidt v. Holman, 571 So. 2d 422 (Fla. 1990); Fla. R. Civ. P. 1.110.
STORAGE NAME: h0473d.JDC PAGE: 3
DATE: 2/21/2024
� However, certain allegations 20 must be plead with "particularity," which is a heightened level of pleading
requiring a statement of facts sufficient to satisfy the elements of each claim.
Burden of Proof and Presumptions
The burden of proof is an obligation to prove a material fact in issue. 21 Generally, the party who asserts
the material fact in issue has the burden of proof.22 In a civil proceeding, for example, the burden of
proof is on the plaintiff to prove the allegations contained in his or her complaint. Further, a defendant in
either a criminal or a civil proceeding has the burden to prove any affirmative defenses 23 he or she may
raise in response to the charges or allegations. However, there are certain statutory and common law
presumptions 24 that may shift the burden of proof from the party asserting the material fact in issue to
the party defending against such fact.25 These presumptions remain in effect following the introduction
of evidence rebutting the presumption, and the factfinder must decide if such evidence is strong
enough to overcome the presumption.26 A presumption is a legal inference that can be made with
knowing certain facts. Most presumptions are able to be rebutted, if proven to be false or thrown into
sufficient doubt by the evidence.27
Local Government Cybersecurity
Section 282.3185, F.S., requires counties and municipalities (referred to as local governments in this
section) to implement, adopt, and comply with cybersecurity training, standards, and incident
notification protocols.
The Florida Digital Service is tasked with developing basic and advanced28 cybersecurity training29
curriculum for local government employees. All local government employees with access to the local
government’s network must complete basic cybersecurity training within 30 days after commenc ing
employment and annually thereafter.30 Additionally, all local government technology professionals and
employees with access to highly sensitive information must also complete the advanced cybersecurity
training within 30 days after commencing employment and annually thereafter.31
Additionally, local governments are required to adopt cybersecurity standards that safeguard the local
government’s data, information technology, and information technology resources to ensure availability,
confidentiality, and integrity.32 The standards must be consistent with generally accepted best practices
for cybersecurity, including the National Institute for Standards and Technology (NIST) Cybersecurity
20 These allegations include fraud, mistake, condition of the mind, and denial of performance or occurrence. Fla. R. Civ. P. 1.1 20(b),(c).
21
5 Florida Practice Series s. 16:1.
22 Id.; see Berg v. Bridle Path Homeowners Ass’n, Inc., 809 So. 2d 32 (Fla. 4th DCA 2002).
23 An affirmative defense is a defense which, if proven, negates criminal or civil liability even if it is proven that the defen dant committed
the acts alleged. Examples include self-defense, entrapment, insanity, necessity, and respondeat superior. Legal Information Institute,
Affirmative Defense, https://www.law.cornell.edu/wex/affirmative_defense (last visited Jan. 18, 2024).
24
These presumptions tend to be social policy expressions, such as the presumption that all people are sane or that all childre n born in
wedlock are legitimate. 5 Florida Practice Series s. 16:1.
25 5 Florida Practice Series s. 16:1.
26 Id.
27 Legal Information Institute, Presumption, https://www.law.cornell.edu/wex/presumption (last visited Jan. 18, 2024).
28 Advanced cybersecurity training must develop, assess, and document competencies by role and skill level. The training curriculum
must include training on the identification of each cybersecurity incident severity level contained in s. 282.318(3)(c)9.a., F.S. S.
282.318(3)(g), F.S.
29 The training may be provided in collaboration with the Cybercrime Office of the Florida Department of Law Enforcement, a private
sector entity, or an institution of the Florida State Univ