Florida Senate - 2026 SB 692
By Senator Leek
7-00972-26 2026692__
1 A bill to be entitled
2 An act relating to cybersecurity standards and
3 liability; amending s. 282.3185, F.S.; authorizing
4 local governments to only adopt specified
5 cybersecurity standards; prohibiting the Department of
6 Management Services from delegating the authority to
7 set such standards to local governments; requiring
8 vendors to comply with specified cybersecurity
9 standards unless otherwise required by state or
10 federal law or regulation; defining the term “vendor”;
11 providing for preemption; creating s. 768.401, F.S.;
12 defining terms; providing that a local government, a
13 covered entity, or a third-party agent that complies
14 with certain requirements is not liable in connection
15 with a cybersecurity incident under certain
16 circumstances; requiring covered entities and third
17 party agents to implement revised frameworks,
18 standards, laws, or regulations within a specified
19 timeframe in order to retain protection from
20 liability; providing that a private cause of action is
21 not established; providing that the fact that a
22 specified defendant could have obtained a liability
23 shield or a presumption against liability is not
24 admissible as evidence of negligence, does not
25 constitute negligence per se, and may not be used as
26 evidence of fault; specifying that the defendant in
27 certain actions has a certain burden of proof;
28 providing applicability; providing a directive to the
29 Division of Law Revision; providing an effective date.
30
31 Be It Enacted by the Legislature of the State of Florida:
32
33 Section 1. Subsection (4) of section 282.3185, Florida
34 Statutes, is amended to read:
35 282.3185 Local government cybersecurity.—
36 (4) CYBERSECURITY STANDARDS.—
37 (a)1. A local government may only adopt cybersecurity
38 standards that are Each local government shall adopt
39 cybersecurity standards that safeguard its data, information
40 technology, and information technology resources to ensure
41 availability, confidentiality, and integrity. The cybersecurity
42 standards must be consistent with the standards and processes
43 established by the department through the Florida Digital
44 Service pursuant to s. 282.318 generally accepted best practices
45 for cybersecurity, including the National Institute of Standards
46 and Technology Cybersecurity Framework. The department may not
47 delegate the authority to set cybersecurity standards to a local
48 government.
49 2. Unless otherwise required by state or federal laws or
50 regulations, a vendor must comply with cybersecurity standards
51 that are consistent with the standards and processes established
52 by the National Institute of Standards and Technology (NIST)
53 Cybersecurity Framework 2.0. For purposes of this subparagraph,
54 “vendor” means a sole proprietorship, partnership, corporation,
55 trust, estate, cooperative, association, or other commercial
56 entity.
57 (b) This subsection preempts any prior cybersecurity
58 standards or processes adopted by a local government which are
59 inconsistent with this subsection Each county with a population
60 of 75,000 or more must adopt the cybersecurity standards
61 required by this subsection by January 1, 2024. Each county with
62 a population of less than 75,000 must adopt the cybersecurity
63 standards required by this subsection by January 1, 2025.
64 (c) Each municipality with a population of 25,000 or more
65 must adopt the cybersecurity standards required by this
66 subsection by January 1, 2024. Each municipality with a
67 population of less than 25,000 must adopt the cybersecurity
68 standards required by this subsection by January 1, 2025.
69 (d) Each local government shall notify the Florida Digital
70 Service of its compliance with this subsection as soon as
71 possible.
72 Section 2. Section 768.401, Florida Statutes, is created to
73 read:
74 768.401 Limitation on liability for cybersecurity
75 incidents.—
76 (1) As used in this section, the term:
77 (a) “Covered entity” means a sole proprietorship,
78 partnership, corporation, trust, estate, cooperative,
79 association, or other commercial entity.
80 (b) “Cybersecurity standards or frameworks” means one or
81 more of the following:
82 1. The National Institute of Standards and Technology
83 (NIST) Cybersecurity Framework 2.0;
84 2. NIST special publication 800-171;
85 3. NIST special publications 800-53 and 800-53A;
86 4. The Federal Risk and Authorization Management Program
87 security assessment framework;
88 5. The Center for Internet Security (CIS) Critical Security
89 Controls;
90 6. The International Organization for
91 Standardization/International Electrotechnical Commission 27000
92 series (ISO/IEC 27000) family of standards;
93 7. HITRUST Common Security Framework (CSF);
94 8. Service Organization Control Type 2 Framework (SOC 2);
95 9. Secure Controls Framework; or
96 10. Other similar industry frameworks or standards.
97 (c) “Disaster recovery” has the same meaning as in s.
98 282.0041.
99 (d) “Local government” means a county, a municipality, or
100 other political subdivision of this state.
101 (e) “Personal information” has the same meaning as in s.
102 501.171.
103 (f) “Third-party agent” means an entity that has been
104 contracted to maintain, store, or process personal information
105 on behalf of a covered entity.
106 (2) A local government is not liable in connection with a
107 cybersecurity incident if the local government has implemented
108 one or more policies that substantially comply with
109 cybersecurity standards or align with cybersecurity frameworks,
110 disaster recovery plans for cybersecurity incidents, and multi
111 factor authentication.
112 (3) A covered entity or a third-party agent that acquires,
113 maintains, stores, processes, or uses personal information has a
114 presumption against liability in a class action resulting from a
115 cybersecurity incident if the covered entity or the third-party
116 agent has a cybersecurity program that does all of the
117 following, as applicable:
118 (a) Substantially complies with s. 501.171(3)-(6), as
119 applicable.
120 (b) Has implemented:
121 1. One or more policies that substantially comply with
122 cybersecurity standards or align with cybersecurity frameworks,
123 a disaster recovery plan for cybersecurity incidents, and multi
124 factor authentication; or
125 2. If regulated by the state or Federal Government, or
126 both, or if otherwise subject to the requirements of any of the
127 following laws and regulations, a cybersecurity program that
128 substantially complies with the current version of such laws and
129 regulations, as applicable:
130 a. The Health Insurance Portability and Accountability Act
131 of 1996 security requirements in 45 C.F.R. part 160 and part 164
132 subparts A and C.
133 b. Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L.
134 No. 106-102, as amended, and its implementing regulations.
135 c. The Federal Information Security Modernization Act of
136 2014, Pub. L. No. 113-283.
137 d. The Health Information Technology for Economic and
138 Clinical Health Act requirements in 45 C.F.R. parts 160 and 164.
139 e. The Criminal Justice Information Services (CJIS)
140 Security Policy.
141 f. Other similar requirements mandated by state or federal
142 laws or regulations.
143 (4) A covered entity’s or a third-party agent’s
144 cybersecurity program’s compliance with paragraph (3)(b) may be
145 demonstrated by providing documentation or other evidence of an
146 assessment, conducted internally or by a third-party, reflecting
147 that the covered entity’s or third-party agent’s cybersecurity
148 program has implemented the requirements of that paragraph.
149 (5) A covered entity or a third-party agent must update its
150 cybersecurity program to incorporate any revisions of relevant
151 frameworks or standards or of applicable state or federal laws
152 or regulations within 1 year after the latest publication date
153 stated in any such revisions in order to retain protection from
154 liability.
155 (6) This section does not establish a private cause of
156 action.
157 (7) If a civil action is filed against a local government,
158 a covered entity, or a third-party agent that failed to
159 implement a cybersecurity program in compliance with this
160 section, the fact that such defendant could have obtained a
161 liability shield or presumption against liability upon
162 compliance is not admissible as evidence of negligence, does not
163 constitute negligence per se, and may not be used as evidence of
164 fault under any other theory of liability.
165 (8) In a civil action relating to a cybersecurity incident,
166 if the defendant is a local government covered by subsection (2)
167 or a covered entity or third-party agent covered by subsection
168 (3), the defendant has the burden of proof to establish
169 substantial compliance with this section.
170 (9) This section applies to any putative class action filed
171 before, on, or after the effective date of this act.
172 Section 3. The Division of Law Revision is directed to
173 replace the phrase “the effective date of this act” wherever it
174 occurs in this act with the date this act becomes a law.
175 Section 4. This act shall take effect upon becoming a law.