Florida's cybersecurity safe harbor, on its third try
The Giallombardo cybersecurity liability bill keeps coming back. The 2026 version (HB 635) is the closest yet, and worth understanding before it lands.
Florida has been trying to pass a cybersecurity safe harbor statute for three legislative cycles now. The pattern is the same each time. Representative Mike Giallombardo files a bill creating a liability shield for organizations that meet recognized cybersecurity standards. The bill picks up bipartisan support. Then something derails it. HB 473 in 2024 passed both chambers and was vetoed by the Governor over concerns about the ambiguity of “substantial compliance.” CS/CS/HB 1183 in 2025 died in the State Affairs Committee. CS/HB 635, filed for the 2026 session, is the third attempt, and as of January 2026 it has cleared its first subcommittee 16-0 in revised form.
The structure of the 2026 bill is worth understanding now because the substantive design is close to settled, even though the specific text will move before final passage.
The bill does two distinct things, and the distinction matters. For local governments, it provides an outright shield from liability in cybersecurity incident lawsuits if the entity substantially complies with a recognized cybersecurity framework, implements a disaster recovery plan, and uses multi-factor authentication. For private entities (called “covered entities” in the bill, the same term Florida uses in its data breach notification statute), it provides a presumption against liability in class action lawsuits if those same conditions are met, plus substantial compliance with Florida’s existing breach notification rules.
The recognized frameworks are the usual suspects. NIST Cybersecurity Framework 2.0, NIST 800-171 and 800-53, FedRAMP, CIS Critical Security Controls, ISO 27001, HITRUST, and SOC 2 are all enumerated. Entities regulated by sector-specific federal regimes (HIPAA for healthcare, GLBA for financial institutions, CJIS for law enforcement systems) can demonstrate substantial compliance with those instead. The breadth of acceptable frameworks is the part the prior versions of the bill spent the most political capital negotiating, and the 2026 list looks final.
Three features of the bill are worth flagging because they shape what compliance actually has to look like.
First, the bill applies to putative class actions filed before, on, or after the effective date, which means once it passes, defendants in pending cybersecurity class actions can invoke the presumption retroactively. That is unusual, and it is one of the reasons the bill has plaintiff-bar opposition.
Second, the bill places the burden of proof on the defendant. To get the presumption, the defendant has to establish substantial compliance affirmatively. Documentation is the entire ballgame. Internal or third-party assessments showing implementation of the mandated requirements are the evidence that gets you the shield. If you cannot produce them, you cannot invoke it.
Third, the bill requires entities to update their programs within one year of revisions to the relevant frameworks. NIST CSF moved from 1.1 to 2.0 in 2024, and ISO 27001 updates periodically. Organizations that achieve compliance once and then let their program drift are not protected.
For a Florida business that handles personal information, the practical move is to start the framework alignment work now, regardless of whether HB 635 passes this session. Three reasons.
The frameworks the bill enumerates are the same frameworks vendor diligence questionnaires are already asking about. The work has dual-use value.
The breach notification rules in Section 501.171 are unchanged and already require notification to the Department of Legal Affairs within 30 days for breaches affecting 500 or more Florida residents, with fines up to $500,000 for noncompliance. Substantial compliance with those rules is a precondition to the safe harbor and is a current legal obligation independent of the safe harbor.
If the safe harbor passes, the entities ready to invoke it on day one are the ones who started the documentation work months earlier. The shield is only as good as the evidence supporting it.
This bill has been close to law twice. The third time may be the one. The cost of being ready early is small. The cost of scrambling after enactment is the cost of doing the framework work under deadline pressure rather than at a normal pace, with the same end result either way.