MS SB2410

Counties, municipalities, county hospitals, and other political subdivisions of Mississippi receive immunity from liability for cybersecurity incidents if they adopt standards consistent with NIST Cybersecurity Framework and generally accepted best practices.

Commercial entities and third-party agents that substantially comply with recognized cybersecurity frameworks receive a rebuttable presumption against liability for cybersecurity incidents.

Qualifying cybersecurity frameworks include NIST Cybersecurity Framework 2.0, NIST 800-171/800-53, FedRAMP, CIS Critical Security Controls Version 8.1, and ISO/IEC 27000-series standards, as well as compliance with HIPAA, Gramm-Leach-Bliley Act, or FISMA requirements.

Compliance scale must be appropriate based on entity size and complexity, scope of activities, data sensitivity, available security tools, and available resources, with entities required to adopt updated framework versions within one year of publication.

Effective July 1, 2026, the act does not create a private cause of action, and failure to implement a compliant cybersecurity program does not constitute negligence per se.