MS HB1380

Provides immunity from liability for state and local government entities that adopt cybersecurity standards consistent with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and generally accepted best practices.

Creates a rebuttable presumption against liability for commercial entities and third-party agents that substantially comply with specified cybersecurity frameworks including NIST publications, Federal Risk and Authorization Management Program, Center for Internet Security Controls, or ISO/IEC 27000-series standards.

Requires entities claiming the presumption to align cybersecurity programs with applicable federal laws including HIPAA, Gramm-Leach-Bliley Act, Federal Information Security Modernization Act, and HITECH Act if regulated by those requirements.

Shifts burden of proof so defendants must establish prima facie compliance with industry standards to gain presumption, then plaintiffs must prove by clear and convincing evidence that defendant failed to substantially comply to overcome the presumption.

Applies to lawsuits filed on or after January 1, 2026 and does not create a private cause of action for failure to comply with the act; failure to implement cybersecurity programs is not evidence of negligence or negligence per se.