OK HB4132

Counties and municipalities gain civil liability protection from data breach or cybersecurity incident lawsuits if they adopted and reasonably conformed to NIST Cybersecurity Framework, CIS Critical Security Controls, or ISO/IEC 27000 series standards at the time of the breach.

Safe harbor qualification requires annual self-certification by the IT officer to the governing body affirming framework conformity.

Entities must maintain documentation of cybersecurity practices including policies, asset inventories, multifactor authentication, patching, backups, employee training, incident response, and disaster recovery plans.

Independent external assessments are required at least once every three years, with resulting reports retained as confidential under the Oklahoma Open Records Act.

Counties and municipalities may voluntarily submit certification or review information to the State Auditor and Inspector for statewide benchmarking; effective date November 1, 2026.