The proposed bill establishes a new section, 768.401, in the Florida Statutes, which outlines limitations on liability for cybersecurity incidents involving counties, municipalities, political subdivisions, covered entities, and third-party agents. Under this section, these entities will not be held liable for cybersecurity incidents if they comply with specific requirements, such as adopting policies that align with recognized cybersecurity standards, implementing disaster recovery plans, and utilizing multi-factor authentication. Additionally, the bill clarifies that a private cause of action is not created, and failures to comply with the cybersecurity program do not constitute negligence or serve as evidence of fault.

The bill also specifies that covered entities and third-party agents must demonstrate substantial compliance with cybersecurity frameworks and standards, and they are required to update their cybersecurity programs within one year of any revisions to these standards to maintain liability protection. In cases involving cybersecurity incidents, the burden of proof will lie with the defendant to establish compliance with the relevant cybersecurity requirements. The amendments introduced by this act will apply to any class action filed after its effective date, which is upon becoming law.