The bill introduces a new section, 768.401, to the Florida Statutes, which establishes limitations on liability for cybersecurity incidents involving counties, municipalities, political subdivisions, covered entities, and third-party agents. It defines key terms such as "covered entity," "cybersecurity standards or frameworks," and "third-party agent." The bill stipulates that these entities will not be held liable for cybersecurity incidents if they comply with specific requirements, including having policies that align with recognized cybersecurity standards, disaster recovery plans, and multi-factor authentication. Additionally, it clarifies that a private cause of action is not established and that failures to comply with the cybersecurity program do not constitute negligence or can be used as evidence of fault.

Furthermore, the bill mandates that covered entities and third-party agents must align their cybersecurity programs with any updated frameworks or regulations within one year of their publication. In cases of litigation related to cybersecurity incidents, the burden of proof falls on the defendant to demonstrate substantial compliance with the established cybersecurity standards. The amendments made by this act will apply to any putative class action filed on or after its effective date, which is upon becoming law.