The bill establishes a new section, 768.401, in the Florida Statutes, which outlines limitations on liability for cybersecurity incidents for counties, municipalities, political subdivisions, covered entities, and third-party agents. It defines key terms such as "covered entity," "cybersecurity standards or frameworks," and "third-party agent." The bill stipulates that these entities will not be held liable for cybersecurity incidents if they comply with specific requirements, including having policies that align with recognized cybersecurity standards, disaster recovery plans, and multi-factor authentication. Additionally, it clarifies that a private cause of action is not established and that failures to comply with the cybersecurity program do not constitute negligence or can be used as evidence of fault.

Furthermore, the bill mandates that covered entities and third-party agents must align their cybersecurity programs with any updated frameworks or regulations within one year of their publication. It also specifies that in cases involving cybersecurity incidents, the burden of proof lies with the defendant to demonstrate substantial compliance with the relevant cybersecurity standards. The amendments made by this act will apply to any putative class action filed on or after its effective date.