WeVote

Bill

Bill

SF 307

A bill for an act relating to matters under the purview of the department of management, making appropriations, and including applicability provisions.

2025-2026 Regular Session

Prohibits broad vendor liability waivers in IT contracts and shields CISO security communications from open records, strengthening accountability and cybersecurity.

Committee report approving bill, renumbered as SF 630.
0
WeVote Research Nonpartisan
Bill Summary · SF 307

SF 307 (renumbered SF 630) — Summary

Overview
- Purpose: A bill from the department of management focusing on management-related appropriations and information technology governance, with specific new protections for state contracts and confidentiality related to cybersecurity communications.
- Status and timeline: Introduced February 13, 2025. Referred to Appropriations and a subcommittee (Feb 19, 2025). Subcommittee recommended passage (Mar 12, 2025). Committee report approved and renumbered SF 630 (April 17, 2025). The bill in its current form contains at least two new sections affecting vendor liability in IT contracts and confidentiality of Chief Information Security Officer (CISO) communications.

Key Provisions

1) New Section 8.96 – Limitation of vendor liability in IT contracts (Contracts)
- Authority: The director may include a contractual limitation of vendor liability in information technology goods and services contracts.
- Public policy safeguards: Any contract term that attempts to:
- Repudiate all liability for cybersecurity incidents, or
- Limit the vendor’s liability for intentional torts, criminal acts, fraudulent conduct, intentional or willful misconduct, gross negligence, death or bodily injury, property damage, IP violations, liquidated damages, regulatory violations, confidentiality breaches, or indemnification obligations
shall be void as a matter of law and contrary to public policy.
- Equitable application: A contractual limit must apply equally to all contracted parties; a limit that applies to only one party or that reduces liability below the contract value (including potential extensions) is void as contrary to public policy.
- Balance of interests: The provision requires that any liability limitation consider the public interest and mitigate risks associated with IT goods or services.

2) New Section 8.97 – Confidentiality of CIO communications
- Scope: Confidentiality applies to communications between the chief information security officer (CISO) and other entities concerning security incidents and security breaches, and to documents created based on those communications.
- Open records exception: Notwithstanding state open records laws, the department may not release these communications.
- Evidence and discovery: Such communications and related documents shall not be received into evidence, nor subject to discovery, or released in other ways, preserving confidentiality for security purposes.

Affected Parties and Impact

  • State Agencies and Departments: Particularly those procuring IT goods and services; they gain clearer authority to set liability limits with appropriate public-policy protections.
  • IT Vendors and Contractors: Face specified boundaries on liability; must ensure that any contractual caps are applied equally and do not attempt to waive critical liabilities.
  • State Cybersecurity Operations: Enhanced confidentiality around CISO communications should improve information-sharing and incident response without exposing sensitive materials through open records or litigation processes.
  • General Public Interest: Public policy protections prevent hollow or inequitable liability caps that would undermine accountability in cybersecurity and contractual obligations.

Procedural/Timeline Notes

  • Introduced: February 13, 2025
  • Referred to: Appropriations (February 19, 2025); Subcommittee review (Feb 19, 2025; recommended passage March 12, 2025)
  • Committee action: Approved in committee and renumbered SF 630 (April 17, 2025)

In sum, SF 307 (SF 630) strengthens state IT contracting safeguards by prohibiting broad or unequal liability waivers and by safeguarding confidential CIO-security communications to support effective cybersecurity governance.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.