Bill Amendment: FL S0658 | 2024 | Regular Session
NOTE: For additional amemendments please see the Bill Drafting List
Bill Title: Cybersecurity Incident Liability
Status: 2024-03-05 - Laid on Table, refer to CS/CS/HB 473 [S0658 Detail]
Download: Florida-2024-S0658-Senate_Committee_Amendment_779464.html
Bill Title: Cybersecurity Incident Liability
Status: 2024-03-05 - Laid on Table, refer to CS/CS/HB 473 [S0658 Detail]
Download: Florida-2024-S0658-Senate_Committee_Amendment_779464.html
Florida Senate - 2024 COMMITTEE AMENDMENT Bill No. SB 658 Ì779464KÎ779464 LEGISLATIVE ACTION Senate . House . . . . . ————————————————————————————————————————————————————————————————— ————————————————————————————————————————————————————————————————— The Committee on Governmental Oversight and Accountability (DiCeglie) recommended the following: 1 Senate Amendment (with title amendment) 2 3 Delete everything after the enacting clause 4 and insert: 5 Section 1. Section 768.401, Florida Statutes, is created to 6 read: 7 768.401 Limitation on liability for cybersecurity 8 incidents.— 9 (1) A county or municipality that substantially complies 10 with s. 282.3185, and any other political subdivision of the 11 state that substantially complies with s. 282.3185 on a 12 voluntary basis, is not liable in connection with a 13 cybersecurity incident. 14 (2) A sole proprietorship, partnership, corporation, trust, 15 estate, cooperative, association, or other commercial entity or 16 third-party agent that acquires, maintains, stores, or uses 17 personal information is not liable in connection with a 18 cybersecurity incident if the entity substantially complies with 19 s. 501.171, if applicable, and has: 20 (a) Adopted a cybersecurity program that substantially 21 aligns with the current version of any standards, guidelines, or 22 regulations that implement any of the following: 23 1. The National Institute of Standards and Technology 24 (NIST) Framework for Improving Critical Infrastructure 25 Cybersecurity. 26 2. NIST special publication 800-171. 27 3. NIST special publications 800-53 and 800-53A. 28 4. The Federal Risk and Authorization Management Program 29 security assessment framework. 30 5. The Center for Internet Security (CIS) Critical Security 31 Controls. 32 6. The International Organization for 33 Standardization/International Electrotechnical Commission 27000 34 series (ISO/IEC 27000) family of standards; or 35 (b) If regulated by the state or Federal Government, or 36 both, or if otherwise subject to the requirements of any of the 37 following laws and regulations, substantially aligned its 38 cybersecurity program to the current version of the following, 39 as applicable: 40 1. The Health Insurance Portability and Accountability Act 41 of 1996 security requirements in 45 C.F.R. part 160 and part 164 42 subparts A and C. 43 2. Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. 44 No. 106-102, as amended. 45 3. The Federal Information Security Modernization Act of 46 2014, Pub. L. No. 113-283. 47 4. The Health Information Technology for Economic and 48 Clinical Health Act requirements in 45 C.F.R. parts 160 and 164. 49 (3) The scale and scope of substantial alignment with a 50 standard, law, or regulation under paragraph (2)(a) or paragraph 51 (2)(b) by a covered entity or third-party agent, as applicable, 52 is appropriate if it is based on all of the following factors: 53 (a) The size and complexity of the covered entity or third 54 party agent. 55 (b) The nature and scope of the activities of the covered 56 entity or third-party agent. 57 (c) The sensitivity of the information to be protected. 58 (4) Any commercial entity or third-party agent covered by 59 subsection (2) that substantially complies with a combination of 60 industry-recognized cybersecurity frameworks or standards to 61 gain the presumption against liability pursuant to subsection 62 (2) must, upon the revision of two or more of the frameworks or 63 standards with which the entity complies, adopt the revised 64 frameworks or standards within 1 year after the latest 65 publication date stated in the revisions and, if applicable, 66 comply with the Payment Card Industry Data Security Standard 67 (PCI DSS). 68 (5) This section does not establish a private cause of 69 action. Failure of a county, municipality, other political 70 subdivision of the state, or commercial entity to substantially 71 implement a cybersecurity program that is in compliance with 72 this section is not evidence of negligence and does not 73 constitute negligence per se. 74 (6) In an action in connection with a cybersecurity 75 incident, if the defendant is an entity covered by subsection 76 (1) or subsection (2), the defendant has the burden of proof to 77 establish substantial compliance. 78 Section 2. This act shall take effect upon becoming a law. 79 80 ================= T I T L E A M E N D M E N T ================ 81 And the title is amended as follows: 82 Delete everything before the enacting clause 83 and insert: 84 A bill to be entitled 85 An act relating to cybersecurity incident liability; 86 creating s. 768.401, F.S.; providing that a county, 87 municipality, other political subdivision of the 88 state, commercial entity, or third-party agent that 89 complies with certain requirements is not liable in 90 connection with a cybersecurity incident; requiring 91 certain entities to adopt certain revised frameworks 92 or standards within a specified time period; providing 93 that a private cause of action is not established; 94 providing that certain failures are not evidence of 95 negligence and do not constitute negligence per se; 96 specifying that the defendant in certain actions has a 97 certain burden of proof; providing an effective date.