Gov. Ron DeSantis vetoed a bill that sought to limit liability for cybersecurity incidents, citing concerns that it would weaken data protection standards and reduce consumer recourse in the event of a data breach.
Gov. Ron DeSantis vetoed a bill on Wednesday designed to limit liability for cybersecurity incidents, citing concerns that it could weaken data protection standards and reduce recourse for consumers in the event of a data breach.
The bill, House Bill 473, sought to provide liability protections for local governments and private entities that substantially comply with specified cybersecurity standards. In his veto message, DeSantis expressed that the bill’s provisions might lead to a reduction in data security for Floridians.
“As passed, the bill could result in Floridians’ data being less secure as the bill provides across-the-board protections for only substantially complying with standards,” DeSantis wrote. “This incentivizes doing the minimum when protecting consumer data. While my Administration has prioritized policies to reduce frivolous litigation, the bill before me today may result in a consumer having inadequate recourse if a breach occurs.”
The measure, sponsored by Rep. Mike Giallombardo, was intended to address the growing concern over cybersecurity threats by establishing clear guidelines and protections for entities that handle sensitive personal information. The bill would have offered liability protection to counties, municipalities, and private entities that adhere to established cybersecurity protocols, including those outlined by the National Institute for Standards and Technology (NIST).
Under the bill, a county, municipality, or any political subdivision of the state that complied with cybersecurity training, standards, and incident notification protocols would not be liable for cybersecurity incidents. Private entities and third-party agents that manage personal information would also be shielded from liability if they aligned their cybersecurity programs with recognized standards, such as the NIST Cybersecurity Framework, and complied with notification protocols under existing Florida law.
DeSantis further suggested that involved stakeholders work with the Florida Cybersecurity Advisory Council to explore alternative solutions that balance liability protection with strong data and operational security against cyberattacks
“I encourage interested parties to coordinate with the Florida Cybersecurity Advisory Council to review potential alternatives to the bill that provide a level of liability protection while also ensuring critical data and operations against cyberattacks are protected as much as possible — and the disruption comes with the release of potentially sensitive information,” he said.
The bill was passed in the Florida House by a vote of 85-29 and in the Senate by a vote of 32-7.