The proposed bill establishes a new section, 768.401, in the Florida Statutes, which outlines limitations on liability for cybersecurity incidents for counties, municipalities, political subdivisions, covered entities, and third-party agents. It specifies that these entities will not be held liable for cybersecurity incidents if they have implemented policies that substantially comply with recognized cybersecurity standards, frameworks, and disaster recovery plans. The bill also provides a presumption against liability for covered entities and third-party agents that maintain personal information, provided they have a compliant cybersecurity program. Additionally, it clarifies that no private cause of action is established under this section, and the potential for a liability shield cannot be used as evidence in negligence claims.

Furthermore, the bill mandates that covered entities and third-party agents must update their cybersecurity programs to reflect any revisions to relevant frameworks or laws within one year of publication. In cases where a civil action is brought against an entity that failed to comply with the cybersecurity program requirements, the inability to obtain a liability shield due to non-compliance cannot be used as evidence of negligence. The burden of proof regarding compliance with the new requirements falls on the defendant in actions related to cybersecurity incidents. The amendments made by this act will apply to any putative class action filed before, on, or after the effective date of the law.