KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to Mississippi

HB1220 • 2026

Cybersecurity; governmental and certain commercial entities substantially complying with standards not liable for incidents relating to.

AN ACT TO PROVIDE THAT STATE AND LOCAL GOVERNMENTAL ENTITIES AND CERTAIN COVERED COMMERCIAL ENTITIES ARE NOT LIABLE IN CONNECTION WITH A CYBERSECURITY INCIDENT IF THE ENTITY INVOLVED HAS ADOPTED CERTAIN CYBERSECURITY STANDARDS; TO DEFINE CERTAIN TERMS; TO REQUIRE CYBERSECURITY STANDARDS TO ALIGN WITH NATIONALLY-RECOGNIZED STANDARDS AND THE REQUIREMENTS OF SPECIFIED FEDERAL LAWS; TO CREATE A REBUTTABLE PRESUMPTION AGAINST LIABILITY IN CONNECTION WITH A CYBERSECURITY INCIDENT FOR COMMERCIAL ENTITIES THAT HAVE ADOPTED A CYBERSECURITY PROGRAM THAT SUBSTANTIALLY ALIGNS WITH CERTAIN SPECIFIED CYBERSECURITY STANDARDS IN COMPLIANCE WITH THIS ACT; TO AMEND SECTION 83-5-803, MISSISSIPPI CODE OF 1972, TO CONFORM TO THE PROVISIONS OF THIS ACT; AND FOR RELATED PURPOSES.

Children Healthcare Technology
Did Not Pass

The latest official action shows that this bill did not move forward in that session.

Sponsor
Hood, Hale
Last action
2026-03-03
Official status
Dead
Effective date
July 1, 20

Plain English Breakdown

The bill did not pass and has no legal effect as of now.

Cybersecurity Protection for Government and Businesses

This act provides that state and local governmental entities and certain commercial entities are not liable in connection with a cybersecurity incident if they have adopted specific cybersecurity standards.

What This Bill Does

  • Protects state and local governments from legal responsibility related to cybersecurity incidents if they follow recommended security guidelines.
  • Creates a presumption against liability for covered commercial entities that align their cybersecurity programs substantially with recognized industry standards or federal laws.
  • Defines key terms such as 'covered entity' and 'substantial compliance'.
  • Amends existing law to reflect these changes.

Who It Names or Affects

  • State and local government agencies in Mississippi.
  • Certain businesses that handle personal information, including financial institutions and healthcare providers.

Terms To Know

Covered entity
A business or organization that handles personal information and is subject to the act's provisions.
Substantial compliance
Meeting most of the requirements set by recognized cybersecurity standards, with room for minor deviations.

Limits and Unknowns

  • The bill did not pass during its session and therefore has no legal effect.
  • It does not apply to acquisitions governed by specific sections of state law.
  • Details about enforcement mechanisms or penalties are not provided in the summary.

Bill History

  1. 2026-03-03 Mississippi Legislative Bill Status System

    03/03 (S) Died In Committee

  2. 2026-02-26 Mississippi Legislative Bill Status System

    02/26 (S) DR - TSDPAA: JA To AC

  3. 2026-02-19 Mississippi Legislative Bill Status System

    02/19 (S) Referred To Judiciary, Division A;Accountability, Efficiency, Transparency

  4. 2026-02-12 Mississippi Legislative Bill Status System

    02/12 (H) Transmitted To Senate

  5. 2026-02-11 Mississippi Legislative Bill Status System

    02/11 (H) Passed

  6. 2026-02-11 Mississippi Legislative Bill Status System

    02/11 (H) Committee Substitute Adopted

  7. 2026-02-02 Mississippi Legislative Bill Status System

    02/02 (H) Title Suff Do Pass Comm Sub

  8. 2026-01-19 Mississippi Legislative Bill Status System

    01/19 (H) Referred To Judiciary A

Official Summary Text

Cybersecurity; governmental and certain commercial entities substantially complying with standards not liable for incidents relating to.

Current Bill Text

Read the full stored bill text 
H. B. No. 1220 *HR26/R1580CS* ~ OFFICIAL ~ G1/2
26/HR26/R1580CS
PAGE 1 (ELS\KW)

To: Judiciary A
MISSISSIPPI LEGISLATURE REGULAR SESSION 2026

By: Representatives Hood, Hale

COMMITTEE SUBSTITUTE
FOR
HOUSE BILL NO. 1220

AN ACT TO PROVIDE THAT STATE AND LOCAL GOVERNMENTAL ENTITIES 1
AND CERTAIN COVERED COMMERCIAL ENTITIES ARE NOT LIABLE IN 2
CONNECTION WITH A CYBERSECURITY INCIDENT IF THE ENTITY INVOLVED 3
HAS ADOPTED CERTAIN CYBERSECURITY STANDARDS; TO DEFINE CERTAIN 4
TERMS; TO REQUIRE CYBERSECURITY STANDARDS TO ALIGN WITH 5
NATIONALLY-RECOGNIZED STANDARDS AND THE REQUIREMENTS OF SPECIFIED 6
FEDERAL LAWS; TO CREATE A REBUTTABLE PRESUMPTION AGAINST LIABILITY 7
IN CONNECTION WITH A CYBERSECURITY INCIDENT FOR COMMERCIAL 8
ENTITIES THAT HAVE ADOPTED A CYBERSECURITY PROGRAM THAT 9
SUBSTANTIALLY ALIGNS WITH CERTAIN SPECIFIED CYBERSECURITY 10
STANDARDS IN COMPLIANCE WITH THIS ACT; TO AMEND SECTION 83-5-803, 11
MISSISSIPPI CODE OF 1972, TO CONFORM TO THE PROVISIONS OF THIS 12
ACT; AND FOR RELATED PURPOSES. 13
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI: 14
SECTION 1. (1) As used in this section, the following words 15
and phrases have the meanings as defined in this subsection unless 16
the context clearly requires otherwise: 17
(a) "Covered entity" means a sole proprietorship, 18
partnership, company, corporation, trust, estate, cooperative, 19
association or other commercial entity, or a financial institution 20
organized, chartered or holding a license authorizing operation 21
under the laws of this state, another state, the United States or 22
another country. 23
H. B. No. 1220 *HR26/R1580CS* ~ OFFICIAL ~
26/HR26/R1580CS
PAGE 2 (ELS\KW)

(b) "Third-party agent" means an entity that has 24
been contracted to maintain, store or process personal information 25
on behalf of a covered entity. 26
(c) "Substantial compliance" or "substantially 27
complies" means that the covered entity or third-party agent has 28
implemented and maintains the technical cybersecurity requirements 29
as outlined in the relevant standard, guideline or regulation 30
listed in subsection (3)(a) of this section, and can demonstrate 31
that such requirements have been implemented and maintained. 32
(2) (a) The state, a county, municipality, county hospital 33
or other political subdivision of the state is not liable in 34
connection with a cybersecurity incident if the entity adopts 35
cybersecurity standards that: 36
(i) Safeguard its data, information technology and 37
information technology resources to ensure availability, 38
confidentiality and integrity; and 39
(ii) Are consistent with generally accepted best 40
practices for cybersecurity, including the National Institute of 41
Standards and Technology Cybersecurity Framework. 42
(b) This statement of immunity may not be construed to 43
waive any immunity granted to the state, a county, municipality or 44
other political subdivision of the state under Title 11, Chapter 45
46, Mississippi Code of 1972. Further, this section shall not 46
apply to acquisitions of information technology governed by 47
Section 25-53-1 et seq. 48
H. B. No. 1220 *HR26/R1580CS* ~ OFFICIAL ~
26/HR26/R1580CS
PAGE 3 (ELS\KW)

(3) There is a rebuttable presumption that a covered entity 49
or third-party agent that acquires, maintains, stores or uses 50
personal information is not liable in connection with a 51
cybersecurity incident if the covered entity or third-party agent, 52
in good faith, substantially complies with reasonable measures to 53
protect and secure data in electronic form containing personal 54
information and has: 55
(a) Adopted a cybersecurity program that substantially 56
aligns with the current version of any standards, guidelines or 57
regulations that implement any of the following: 58
(i) The National Institute of Standards and 59
Technology (NIST) Cybersecurity Framework 2.0 and the implementing 60
regulations or publications or its most current applicable update, 61
revision or replacement; 62
(ii) NIST special publication 800-171 Revision 3 63
or its most current applicable update, revision or replacement; 64
(iii) NIST special publications 800-53 and 800-53A 65
Release 5.2.0 or their most current applicable update, revision or 66
replacement; 67
(iv) The Federal Risk and Authorization Management 68
Program 20x/Revision 5 security assessment framework or its most 69
current applicable update, revision or replacement; 70
(v) The Center for Internet Security (CIS) 71
Critical Security Controls Version 8.1, or its most current 72
applicable update, revision or replacement; or 73
H. B. No. 1220 *HR26/R1580CS* ~ OFFICIAL ~
26/HR26/R1580CS
PAGE 4 (ELS\KW)

(vi) The International Organization for 74
Standardization/International Electrotechnical Commission 27000- 75
series (ISO/IEC 27000) family of standards; or 76
(b) If regulated by the state or federal government, or 77
both, or if otherwise subject to the requirements of any of the 78
following laws and regulations, substantially aligned its 79
cybersecurity program to the current version of the following, as 80
applicable: 81
(i) The Health Insurance Portability and 82
Accountability Act of 1996 security requirements in 45 CFR part 83
160 and part 164 subparts A and C; 84
(ii) Title V of the Gramm-Leach-Bliley Act of 85
1999, Public Law 57 No. 106-102, as amended, and the implementing 86
regulations; 87
(iii) The Federal Information Security 88
Modernization Act of 2014, Public Law No. 113-283; or 89
(iv) The Health Information Technology for 90
Economic and Clinical Health Act requirements in 45 CFR parts 160 91
and 164. 92
(4) A covered entity's or third-party agent's alignment with 93
a framework or standard under paragraph (a) or (b) of subsection 94
(3) of this section may be demonstrated by providing documentation 95
or other evidence of an assessment, conducted internally or by a 96
third-party, reflecting that the covered entity's or third-party 97
agent's cybersecurity program substantially is aligned with the 98
H. B. No. 1220 *HR26/R1580CS* ~ OFFICIAL ~
26/HR26/R1580CS
PAGE 5 (ELS\KW)

relevant framework or standard or with the applicable state or 99
federal law or regulation. 100
(5) The scale and scope of substantial alignment with a 101
standard, law or regulation under paragraph (a) or (b) of 102
subsection (3) of this section by a covered entity or third-party 103
agent, as applicable, is appropriate if it is based on all of the 104
following factors: 105
(a) The size and complexity of the covered entity or 106
third-party agent; 107
(b) The nature and scope of the activities of the 108
covered entity or third-party agent; 109
(c) The sensitivity of the information to be protected; 110
(d) The cost and availability of tools to improve 111
information security and reduce vulnerabilities; and 112
(e) The resources available to the covered entity. 113
(6) A commercial entity or third-party agent covered by 114
subsection (3) of this section which substantially complies with a 115
combination of industry-recognized cybersecurity frameworks or 116
standards to gain the presumption against liability under 117
subsection (3) must adopt, upon the revision of two (2) or more of 118
the frameworks or standards with which the entity complies, the 119
revised frameworks or standards within one (1) year after the 120
latest publication date or latest compliance or effective date 121
stated in the revisions and, if applicable, comply with the 122
Payment Card Industry Data Security Standard (PCI DSS). 123
H. B. No. 1220 *HR26/R1580CS* ~ OFFICIAL ~
26/HR26/R1580CS
PAGE 6 (ELS\KW)

(7) In a civil action in connection with a cybersecurity 124
incident, if the defendant is an entity covered by subsection (2) 125
of this section, the plaintiff has the initial burden of 126
demonstrating that the entity was not in substantial compliance 127
with this section. 128
(8) In a civil action in connection with a cybersecurity 129
incident, if the defendant is an entity under subsection (3) of 130
this section, the defendant has the burden of proof to establish a 131
prima facie case of compliance with industry-recognized 132
cybersecurity frameworks or standards to gain the presumption 133
against liability created under this section. If a defendant 134
meets its initial burden, the burden of proof then shifts to the 135
plaintiff to overcome this presumption against liability by 136
proving that the defendant failed to substantially comply with 137
applicable industry-recognized cybersecurity frameworks or 138
standards. 139
(9) This act does not establish a private cause of action, 140
including a class action, nor does it preclude or diminish any 141
previously established cause of action, if a covered entity or 142
third-party agent fails to comply with this act. 143
(10) Failure of a county, municipality, county hospital, 144
other political subdivision of the state, covered entity or 145
third-party agent to substantially implement a cybersecurity 146
program that is in compliance with this section is not evidence of 147
negligence and does not constitute negligence per se. 148
H. B. No. 1220 *HR26/R1580CS* ~ OFFICIAL ~
26/HR26/R1580CS
PAGE 7 (ELS\KW)
ST: Cybersecurity; governmental and certain
commercial entities substantially complying with
standards not liable for incidents relating to.
(11) A choice of law provision in an agreement that 149
designates this state as the governing law applies to this act, if 150
applicable, to the fullest extent possible in a civil action 151
brought against a person regardless of whether the civil action is 152
brought in this state or another state. 153
(12) This section is applicable to any suit filed on or 154
after January 1, 2026. 155
(13) Nothing in this section shall be construed to modify an 156
insurance licensee's obligations under the Insurance Data Security 157
Law, Section 83-5-801 et seq. or to affect the commissioner's 158
power to enforce its provisions. 159
SECTION 2. Section 83-5-803, Mississippi Code of 1972, is 160
amended as follows: 161
83-5-803. (1) * * * Except for determining liability 162
pursuant to a civil action in accordance with Section 1 of this 163
act, this article establishes the exclusive state standards 164
applicable to licensees for data security, the investigation of a 165
cybersecurity event as defined in Section 83-5-805, and 166
notification to the Commissioner of Insurance. 167
(2) This article may not be construed to create or imply a 168
private cause of action for violation of its provisions nor may it 169
be construed to curtail a private cause of action which would 170
otherwise exist in the absence of this article. 171
SECTION 3. This act shall take effect and be in force from 172
and after July 1, 2026. 173