Governor DeSantis Vetoes Cybersecurity Liability Protection Bill
Governor Ron DeSantis has vetoed House Bill 473 (HB 473) related to cybersecurity liability protection as passed by the Florida legislature in the 2024 regular legislative session. The bill would have provided that a county, municipality or other political subdivision substantially complying with standards and protocols under current law is not liable in connection with a cybersecurity incident. The bill further would have extended protection to any covered entity or third-party agent that acquires, maintains, stores, processes, or uses personal information if it complies with Florida notice protocols and has adopted a cybersecurity program that substantially aligns with the current version of applicable state and federal laws and regulations.
In vetoing the bill, Governor DeSantis wrote:
HB 473 provides broad liability protections for state and local governments and private companies that only substantially comply with minimum cybersecurity standards in the event of a data breach or other cybersecurity event.
As passed, the bill could result in Floridians’ data being less secure as the bill provides across-the-board protections for only substantially complying with standards. This incentivizes doing the minimum when protecting consumer data. While my Administration has prioritized policies to reduce frivolous litigation, the bill before me today may result in a consumer having inadequate recourse if a breach occurs.
I encourage interested parties to coordinate with the Florida Cybersecurity Advisory Council to review potential alternatives to the bill that provide a level of liability protection while also ensuring critical data and operations against cyberattacks are protected as much as possible — and the disruption comes with the release of potentially sensitive information.
Governor DeSantis therefore left open the possibility of future legislation that provides liability protection as long as it provides greater assurance that protected parties aren’t able to use the reform to justify implementing minimally-sufficient protocols.