The Florida Senate
BILL ANALYSIS AND FISCAL IMPACT STATEMENT
(This document is based on the provisions contained in the legislation as of the latest date listed below.)
Prepared By: The Professional Staff of the Committee on Rules
BILL: CS/SB 658
INTRODUCER: Governmental Oversight and Accountability Committee and Senator DiCeglie
SUBJECT: Cybersecurity Incident Liability
DATE: February 13, 2024 REVISED:
ANALYST STAFF DIRECTOR REFERENCE ACTION
1. Bond Cibula JU Favorable
2. Harmsen McVaney GO Fav/CS
3. Bond Twogood RC Favorable
Please see Section IX. for Additional Information:
COMMITTEE SUBSTITUTE - Substantial Changes
I. Summary:
CS/SB 658 provides that a county, municipality, or any other political subdivision that has
substantially complied with cybersecurity protocols established by the Department of
Management Services and that has timely notified the state and the local sheriff of a serious
incident related to cybersecurity is not liable for damages related to the incident.
The bill also provides that a sole proprietorship, partnership, corporation, trust, estate,
cooperative, association, or other commercial entity or third-party agent that acquires, maintains,
stores, or uses personal information is not liable in connection with a cybersecurity incident if the
entity substantially complies with the Florida Information Protection Act (FIPA), adopts
standards and guidelines in substantial alignment with the current version of any of six national
standards listed, adopts standards and guidelines that substantially align with all of the four
federal laws that may apply to the entity (including HIPAA and Gramm-Leach-Bliley), and
updates its standards and guidelines within 1 year of an update to the prevailing standard.
The protection afforded by the bill is an affirmative defense where the defendant entity has the
burden of proof on applicability.
There is no impact expected on state revenues and expenditures. Local governments may
experience an indeterminate impact on its revenues and expenditures related to decreased
liability and costs for cyber liability insurance. See Section V.
BILL: CS/SB 658 Page 2
The bill takes effect upon becoming a law.
II. Present Situation:
Cybersecurity is the practice of protecting computer systems, networks, and programs from
digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying
sensitive information; extorting money from users via ransomware; or interrupting normal
business processes.1 This bill addresses liability of local governments and private entities
regarding liability for a cybersecurity incident. One commentator summed up the issue:
Hardly a week goes by nowadays without headlines of yet another incident of
corporate hacking or cybersecurity theft. Companies that electronically store
sensitive information are facing the ever-changing challenge of guarding against
unauthorized access to and misuse of such digital data. Critical computer-based
assets increasingly have come under siege, and sophisticated hackers seem to be
outpacing prophylactic measures designed to thwart their advance. As a result,
digital data breaches have become almost commonplace today not only for
multinational companies, but also for small and midsize companies. In short,
cybersecurity has emerged as more than just an IT challenge--it is now a
business and legal imperative.2
Current Cybersecurity Standards
Local Government Cybersecurity Act
Section 282.3185, F.S., is known as the Local Government Cybersecurity Act (act). The act first
requires counties and municipalities to adopt cybersecurity standards that safeguard the local
government’s data, information technology, and information technology resources to ensure
availability, confidentiality, and integrity.3 The standards must be consistent with generally
accepted best practices for cybersecurity, including the National Institute of Standards and
Technology (NIST) Cybersecurity Framework.4 A local government must notify Florida Digital
Service5 (FLDS) that it has adopted standards to conform as soon as possible after adoption.6 The
deadline for adoption of standards was January 1, 2024, for counties having a population of
75,000 or more and cities having a population of 25,000 or more. All other counties and
municipalities have until January 1, 2025, to comply.
The act classifies cybersecurity incidents or ransomware incidents into five categories based on
the severity of the incident:
1
Cisco.com, What is Cybersecurity? https://www.cisco.com/c/en/us/products/security/what-is-
cybersecurity.html#:~:text=Cybersecurity%20is%20the%20practice%20of,or%20interrupting%20normal%20business%20pr
ocesses (last visited Feb. 1, 2024).
2
Hooker & Pill, You've Been Hacked, and Now You're Being Sued: The Developing World of Cybersecurity Litigation, Fla.
B.J., 90-7, p. 30 (July/August 2016).
3
Section 282.3185(4)(a), F.S.
4
Id.
5
The Florida Digital Service is an office within the Department of Management Services to propose innovative solutions that
securely modernize state government, including technology and information services, to achieve value through digital
transformation and interoperability, and to fully support the cloud-first policy. Section 282.0051(1), F.S.
6
Section 282.3185(4)(d), F.S.
BILL: CS/SB 658 Page 3
 Level 5 is an emergency-level incident within the specified jurisdiction that poses an
imminent threat to the provision of wide-scale critical infrastructure services; national, state,
or local government security; or the lives of the country’s, state’s, or local government’s
residents.
 Level 4 is a severe-level incident that is likely to result in a significant impact in the affected
jurisdiction to public health or safety; national, state, or local security; economic security; or
civil liberties.
 Level 3 is a high-level incident that is likely to result in a demonstrable impact in the affected
jurisdiction to public health or safety; national, state, or local security; economic security;
civil liberties; or public confidence.
 Level 2 is a medium-level incident that may impact public health or safety; national, state, or
local security; economic security; civil liberties; or public confidence.
 Level 1 is a low-level incident that is unlikely to impact public health or safety; national,
state, or local security; economic security; civil liberties; or public confidence.7
The act requires a county or municipality to provide notification of a level 3, 4, or 5
cybersecurity incident or ransomware incident to the Cybersecurity Operations Center,
Cybercrime Office of the Department of Law Enforcement, and to the sheriff who has
jurisdiction over the local government. The notification must include, at a minimum, the
following information:
 A summary of the facts surrounding the cybersecurity incident or ransomware incident.
 The date on which the local government most recently backed up its data; the physical
location of the backup, if the backup was affected; and if the backup was created using cloud
computing.
 The types of data compromised by the cybersecurity incident or ransomware incident.
 The estimated fiscal impact of the cybersecurity incident or ransomware incident.
 In the case of a ransomware incident, the details of the ransom demanded.
 A statement requesting or declining assistance from the Cybersecurity Operations Center, the
Cybercrime Office of the Department of Law Enforcement, or the sheriff who has
jurisdiction over the local government.8
The report of a level 3, 4, or 5 ransomware incident or cybersecurity incident must be sent as
soon as possible but no later than 48 hours after discovery of the cybersecurity incident and no
later than 12 hours after discovery of the ransomware incident.9 Reporting a level 1 or 2 incident
is optional and there is no deadline.10
A local government must submit to the Florida Digital Service, within 1 week after the
remediation of a cybersecurity incident or ransomware incident, an after-action report that
summarizes the incident, the incident’s resolution, and any insights gained as a result of the
incident.11
7
Section 282.318(3)(c)9.a., F.S.
8
Section 282.3185(5)(a), F.S.
9
Section 282.3185(5)(b)1., F.S.
10
Section 282.3185(5)(c), F.S.
11
Section 282.3185(6), F.S.
BILL: CS/SB 658 Page 4
Florida Information Protection Act (FIPA)12
The FIPA is a data security statute that requires governmental entities, specific business entities,
and any third-party agent that holds or processes personal information on behalf of these entities
to take “reasonable measures to protect and secure” a consumer’s personal information.13 The
FIPA defines “personal information” as:
 Online account information, such as security questions and answers, email addresses, and
passwords; and
 An individual’s first name or first initial and last name, in combination with any one or more
of the following information regarding him or her:
o A social security number;
o A driver license or similar identity verification number issued on a government
document;
o A financial account number or credit or debit card number, in combination with any
required security code, access code, or password that is necessary to permit access to an
individual’s financial account;
o Medical history information or health insurance identification numbers; or
o An individual’s health insurance identification numbers.14
Personal information does not include information:
 About an individual that a federal, state, or local governmental entity has made publicly
available; or
 That is encrypted, secured, or modified to remove elements that personally identify an
individual or that otherwise renders the information unusable.15
The FIPA requires covered business entities16 that have suffered a data breach to notify affected
individuals of the breach as expeditiously as possible, and no later than 30 days after discovering
the breach.17 However, the notice to affected individuals may be delayed at the request of a law
enforcement agency, and notice is not required if the breach has not and will not likely result in
identity theft or any other financial harm to the individuals whose personal information has been
accessed.18
If more than 500 individuals were affected by the breach, notice of the breach must also be given
to the Department of Legal Affairs (DLA) as expeditiously as possible and no more than 30 days
later.19 If more than 1,000 individuals were affected by the breach, notice must also be given to
all consumer reporting agencies that compile and maintain files on consumers on a nationwide
basis.20 The Fair Credit Reporting Act, 15 U.S.C. s. 1681a(p), provides the timing, distribution,
and content of the notices to consumers.
12
Section 501.171, F.S.; Chapter 2014-189, Laws of Fla.
13
Section 501.171(2), F.S.
14 Section 501.171(1)(g)1., F.S.; OAG supra note 41.
15 Section 501.171(1)(g)2., F.S.
16
A “covered entity” is a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other
commercial entity that acquires, maintains, stores, or uses personal information. Section 501.171(1)(b), F.S.
17
Section 501.171(4)(a), F.S.
18
Section 501.171(4)(c), F.S.
19
Section 501.171(3), F.S.
20
Section 501.171(5), F.S.
BILL: CS/SB 658 Page 5
The FIPA does not provide a private cause of action, but authorizes the DLA to file a civil action
against covered entities under Florida’s Unfair and Deceptive Trade Practices Act (FDUTPA).21
In addition to the remedies provided for under FDUTPA, a covered entity that fails to notify the
DLA, or an individual whose personal information was accessed, of the data breach is liable for a
civil penalty of $1,000 per day for the first 30 days of any violation; $50,000 for each subsequent
30-day period of violation; and up to $500,000 for any violation that continues more than 180
days. These civil penalties apply per breach, not per individual affected by the breach.22
Cybersecurity Standards
There are various recognized cybersecurity standards and regulations. The ones referenced in the
bill are:
Cybersecurity Standards
Standard Description
National Institute of Standards and This publication contains multiple approaches to cybersecurity
Technology (NIST) Framework for by assembling standards, guidelines, and practices that are
Improving Critical Infrastructure working effectively today. While intended for use in critical
Cybersecurity infrastructure, much of the standards are usable by any
organization to improve security and resilience.23
NIST special publication 800-171 Provides recommended requirements for protecting the
confidentiality of controlled unclassified information. If a
manufacturer is part of a Department of Defense, General
Services Administration, NASA, or other state or federal
agency supply chain then they must comply with these
security requirements.24
NIST special publications 800-53 A category of security and privacy controls. Covers the steps
and 800-53A in the Risk Management Framework that address security
controls for federal information systems.25
The Federal Risk and Authorization Organization established by the General Services
Management Program security Administration (a Federal Government Program) that provides
assessment framework U.S. federal agencies, state agencies, and their vendors with a
standardized set of best practices to assess, adopt, and monitor
the use of cloud-based technology services under the Federal
Information Security Management Act (FISMA).26
21 Sections 501.171(9) and (10), F.S.
22
Section 501.171(9)(b), F.S.
23
National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity,
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (last visited Feb. 1, 2024).
24
NIST, What is the NIST SP 800-171 and Who Needs to Follow It?, https://www.nist.gov/blogs/manufacturing-innovation-
blog/what-nist-sp-800-171-and-who-needs-follow-it-0#:~:text=NIST%20SP%20800-
171%20is%20a%20NIST%20Special%20Publication,protecting%20the%20confidentiality%20of%20controlled%20unclassi
fied%20information%20%28CUI%29 (last visited Feb. 1, 2024).
25
NIST, Selecting Security and Privacy Controls: Choosing the Right Approach, https://www.nist.gov/blogs/cybersecurity-
insights/selecting-security-and-privacy-controls-choosing-right-approach (last visited Feb. 1, 2024).
26
Reciprocity, How State and Local Agencies Can Use FedRAMP, https://reciprocity.com/how-state-and-local-agencies-can-
use-
BILL: CS/SB 658 Page 6
Cybersecurity Standards
Standard Description
CIS Critical Security Controls The Center for Internet Security Critical Security Controls
(CIS) are a prescriptive and simplified set of best practices for
strengthening cybersecurity for different organizations. CIS
was created in response to extreme data losses experienced by
organizations in the U.S. defense industrial base.27