Panel advances cybersecurity bill offering liability presumption for entities meeting NIST standards amid concerns over retroactivity

Representative Blanco presented CS/HB 635 as a measure to incentivize adoption of updated cybersecurity standards (NIST framework, data recovery procedures, and multifactor authentication) and to create a presumption against negligence liability for entities that align with the framework. "For local governments and businesses that align with this updated cybersecurity framework and follow incident reporting requirements, they will have presumption against liability in lawsuits that alleges negligence," Blanco said.

Opponents, led by Patrick Barthel of the Florida Justice Association, cautioned the committee that the bill would allow defendants to avoid liability through self‑certification and could operate retroactively to pending class actions. Barthel recounted a medical‑provider breach where before‑and‑after photos and Social Security numbers were dumped on the dark web and said victims received settlement notices; he argued victims should not be barred by a statutory presumption. "So long as the health care provider had a policy that was substantially HIPAA compliant, they don't have to actually abide by that policy," Barthel said, warning that the PCS permitted self‑certification.

Cybersecurity proponents testified that NIST standards, MFA, and encryption provide well‑defined technical measures that meaningfully reduce breach risk and that the bill rewards prudent investments. Members debated the definition of "substantial compliance," retroactivity language and whether pending litigation would be affected; the sponsor said the bill is not retroactive but acknowledged concerns and said courts could make factual determinations on substantial compliance.

After testimony and debate, the committee reported CS/HB 635 favorably with 14 ayes and 1 nay. Members asked for continued work on clarifying definitions and ensuring victims' remedies are not inappropriately limited.