MS HB1575

Local governmental entities (counties, municipalities, political subdivisions) that adopt and substantially comply with generally accepted cybersecurity best practices, including the National Institute of Standards and Technology Cybersecurity Framework, are not liable for cybersecurity incidents.

Commercial entities and third-party agents handling personal information are not liable for cybersecurity incidents if they substantially comply with reasonable data protection measures and adopt cybersecurity programs aligned with standards including NIST Framework, NIST special publications 800-171 and 800-53, Federal Risk and Authorization Management Program, Center for Internet Security Critical Security Controls, or ISO/IEC 27000 series.

Entities regulated by state or federal government must align cybersecurity programs with applicable federal laws including the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, Federal Information Security Modernization Act, and Health Information Technology for Economic and Clinical Health Act.

Scale and scope of compliance must be appropriate based on the entity's size, complexity, nature of activities, and sensitivity of information being protected; entities combining multiple frameworks must adopt revisions within one year of publication.

The act does not create a private cause of action, failure to comply is not evidence of negligence, and defendants must bear the burden of proving substantial compliance in cybersecurity incident lawsuits; effective July 1, 2024.