MS SB2471

Provides immunity from cybersecurity incident liability for counties, municipalities, and political subdivisions that adopt cybersecurity standards consistent with generally accepted best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Establishes a rebuttable presumption against liability for commercial entities and third-party agents that substantially comply with recognized cybersecurity frameworks including NIST, Federal Risk and Authorization Management Program, Center for Internet Security Critical Security Controls, ISO/IEC 27000 series, or applicable federal laws (HIPAA, Gramm-Leach-Bliley Act, FISMA, HITECH Act).

Requires entities using multiple frameworks to adopt revised frameworks within one year after publication if two or more frameworks are updated, and compliance with Payment Card Industry Data Security Standard (PCI DSS) as applicable.

Places initial burden on plaintiffs in cybersecurity incident lawsuits against government entities to prove non-compliance by clear and convincing evidence, and requires commercial entities to establish prima facie compliance before burden shifts to plaintiff.

Effective July 1, 2025; does not create a private cause of action for failure to comply and does not establish non-compliance as evidence of negligence.