The bill introduces a new section, 768.401, to the Florida Statutes, which establishes limitations on liability for cybersecurity incidents for counties, municipalities, political subdivisions, covered entities, and third-party agents that comply with specific cybersecurity standards. It defines key terms such as "covered entity," "cybersecurity standards or frameworks," and "third-party agent." The bill stipulates that these entities will not be held liable for cybersecurity incidents if they have implemented policies that align with recognized cybersecurity frameworks, disaster recovery plans, and multi-factor authentication. Additionally, it clarifies that a private cause of action is not established and that failures to comply with the cybersecurity program requirements do not constitute negligence or serve as evidence of fault.

Furthermore, the bill mandates that covered entities and third-party agents must align their cybersecurity programs with any updated frameworks or regulations within one year of their publication. It also specifies that in cases involving cybersecurity incidents, the burden of proof lies with the defendant to demonstrate substantial compliance with the relevant cybersecurity standards. The amendments made by this act will apply to any putative class action filed on or after its effective date, which is upon becoming law.