MS SB2777

Counties, municipalities, and state political subdivisions are not liable for cybersecurity incidents if they adopt standards that safeguard data and align with generally accepted best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Commercial entities acquire a rebuttable presumption against liability for cybersecurity incidents if they substantially comply with cybersecurity programs aligned with specified frameworks including NIST, Federal Risk and Authorization Management Program, Center for Internet Security Critical Security Controls, or ISO/IEC 27000 series.

Commercial entities regulated by state or federal government that align their cybersecurity programs with HIPAA, Gramm-Leach-Bliley Act, Federal Information Security Modernization Act, or HITECH Act requirements gain the presumption against liability.

Substantial alignment must be scaled appropriately based on the entity's size, complexity, nature of activities, and sensitivity of information protected; entities must adopt revised frameworks within one year when two or more standards are revised.

In litigation, plaintiffs suing government entities must prove by clear and convincing evidence non-compliance; commercial entities claiming the presumption must first establish prima facie compliance before plaintiffs must prove non-compliance.

The act takes effect July 1, 2024, and does not create a private cause of action.