HB5243 - Cybersecurity Compliance Act

• Creates an affirmative defense for businesses that develop and maintain a written cybersecurity program with administrative, technical, and physical safeguards that reasonably conform to an industry-recognized cybersecurity framework.

• Cybersecurity programs must protect personal information or both personal information and restricted information, and be designed to prevent threats to security, integrity, and unauthorized access.

• Program scope must be appropriate based on entity size, complexity, nature of activities, information sensitivity, cost of security tools, and available resources.

• Recognizes six industry-standard frameworks including NIST standards, FedRAMP, Center for Internet Security Critical Security Controls, and ISO/IEC 27000 Family standards; requires updates to revised frameworks within one year of publication.

• Businesses that comply with the program requirements are entitled to an affirmative defense in tort lawsuits alleging inadequate information security controls resulted in a data breach; does not create a private right of action.