MS HB1220

State and local governmental entities in Mississippi are not liable for cybersecurity incidents if they adopt cybersecurity standards consistent with the NIST Cybersecurity Framework that safeguard data availability, confidentiality, and integrity

Commercial entities and third-party agents that substantially comply with recognized cybersecurity frameworks (including NIST CSF 2.0, CIS Controls 8.1, ISO/IEC 27000, HIPAA, or Gramm-Leach-Bliley Act requirements) receive a rebuttable presumption against liability for cybersecurity incidents

Compliance can be demonstrated through internal or third-party assessments, with the scale of alignment based on factors such as entity size, complexity, sensitivity of information protected, and available resources

Entities relying on multiple cybersecurity frameworks must adopt revised standards within one year of publication when two or more frameworks they follow are updated

The law applies to suits filed on or after January 1, 2026, does not create a private cause of action, and failure to implement a compliant cybersecurity program does not constitute negligence per se