The proposed bill establishes a new section, 768.401, in the Florida Statutes, which outlines limitations on liability for cybersecurity incidents for counties, municipalities, political subdivisions, covered entities, and third-party agents. Under this section, these entities will not be held liable for cybersecurity incidents if they have implemented policies that substantially comply with recognized cybersecurity standards, frameworks, and disaster recovery plans. The bill also specifies that covered entities and third-party agents can gain a presumption against liability in class actions if they maintain a cybersecurity program that meets certain compliance criteria, including adherence to various federal and state regulations.

Additionally, the bill clarifies that there is no private cause of action established under this section, and any evidence that a defendant could have obtained a liability shield or presumption against liability is inadmissible in court. The burden of proof for establishing compliance with the cybersecurity requirements falls on the defendant in relevant civil actions. The bill mandates that covered entities and third-party agents must update their cybersecurity programs within one year of any revisions to applicable frameworks or laws to maintain their liability protections. The amendments made by this act will apply to any putative class action filed before, on, or after the effective date of the law.