Read the full stored bill text
S. B. No. 2410 *SS08/R1159* ~ OFFICIAL ~ G1/2
26/SS08/R1159
PAGE 1 (ens\tb)
To: Judiciary, Division A
MISSISSIPPI LEGISLATURE REGULAR SESSION 2026
By: Senator(s) Williams
SENATE BILL NO. 2410
AN ACT TO PROVIDE THAT A COUNTY OR MUNICIPALITY AND ANY OTHER 1
POLITICAL SUBDIVISION OF THE STATE OR A COMMERCIAL ENTITY SHALL 2
NOT BE LIABLE IN CONNECTION WITH A CYBERSECURITY INCIDENT IF THE 3
ENTITY ADOPTS CERTAIN CYBERSECURITY STANDARDS; TO DEFINE CERTAIN 4
TERMS; TO REQUIRE CYBERSECURITY PROGRAMS TO ALIGN WITH NATIONALLY 5
RECOGNIZED STANDARDS AND THE REQUIREMENTS OF SPECIFIED FEDERAL 6
LAWS; TO PROVIDE A REBUTTABLE PRESUMPTION AGAINST LIABILITY FOR 7
COMMERCIAL ENTITIES THAT ARE IN SUBSTANTIAL COMPLIANCE WITH THIS 8
ACT BY ADOPTING A CYBERSECURITY PROGRAM THAT SUBSTANTIALLY ALIGNS 9
WITH CERTAIN SPECIFIED CYBERSECURITY STANDARDS; AND FOR RELATED 10
PURPOSES. 11
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI: 12
SECTION 1. (1) As used in this act, the following terms 13
shall have the meanings herein ascribed unless the context clearly 14
requires otherwise: 15
(a) "Covered entity" means a sole proprietorship, 16
partnership, company, corporation, trust, estate, cooperative, 17
association, or other commercial entity. "Covered entity" shall 18
also mean a financial institution organized, chartered, or holding 19
a license authorizing operation under the laws of this state, the 20
United States, another state, or another country. 21
S. B. No. 2410 *SS08/R1159* ~ OFFICIAL ~
26/SS08/R1159
PAGE 2 (ens\tb)
(b) "Third-party agent" means an entity that has been 22
contracted to maintain, store, or process personal information on 23
behalf of a covered entity. 24
(c) "Substantial compliance" or "substantially 25
complies" means that the business has implemented and maintains 26
the technical cybersecurity requirements as outlined in the 27
relevant standard, guideline, or regulation, listed in Section 28
1(3)(a) of this act, and can demonstrate that such requirements 29
have been implemented and maintained. 30
(2) (a) A county, municipality, county hospital, the state 31
or any of its political subdivisions shall not be liable in 32
connection with a cybersecurity incident if the entity adopts 33
cybersecurity standards that: 34
(i) Safeguard its data, information technology and 35
information technology resources to ensure availability, 36
confidentiality and integrity; and 37
(ii) Are consistent with generally accepted best 38
practices for cybersecurity, including the National Institute of 39
Standards and Technology Cybersecurity Framework. 40
(b) This statement of immunity may not be construed to 41
waive any immunity granted to a county, municipality or any other 42
political subdivision under Title 11, Chapter 46, Mississippi Code 43
of 1972. Further, this act shall not apply to acquisitions of 44
information technology governed by Section 25-53-1 et seq. 45
S. B. No. 2410 *SS08/R1159* ~ OFFICIAL ~
26/SS08/R1159
PAGE 3 (ens\tb)
(3) There shall be a rebuttable presumption that a covered 46
entity or third-party agent that acquires, maintains, stores or 47
uses personal information is not liable in connection with a 48
cybersecurity incident if the covered entity or third-party agent, 49
in good faith, substantially complies with reasonable measures to 50
protect and secure data in electronic form containing personal 51
information and has: 52
(a) Adopted a cybersecurity program that substantially 53
aligns with the current version of any standards, guidelines or 54
regulations that implement any of the following: 55
(i) The National Institute of Standards and 56
Technology (NIST) Cybersecurity Framework 2.0 and the implementing 57
regulations or publications, or its most current applicable 58
update, revision, or replacement. 59
(ii) NIST special publication 800-171 Revision 3, 60
or its most current applicable update, revision, or replacement. 61
(iii) NIST special publications 800-53 and 800-53A 62
Release 5.2.0, or their most current applicable update, revision, 63
or replacement. 64
(iv) The Federal Risk and Authorization Management 65
Program 20x/Revision 5 security assessment framework, or its most 66
current applicable update, revision, or replacement. 67
(v) The Center for Internet Security (CIS) 68
Critical Security Controls Version 8.1, or its most current 69
applicable update, revision, or replacement. 70
S. B. No. 2410 *SS08/R1159* ~ OFFICIAL ~
26/SS08/R1159
PAGE 4 (ens\tb)
(vi) The International Organization for 71
Standardization/International Electrotechnical Commission 72
27000-series (ISO/IEC 27000) family of standards; or 73
(b) If regulated by the state or federal government, or 74
both, or if otherwise subject to the requirements of any of the 75
following laws and regulations, substantially aligned its 76
cybersecurity program to the current version of the following, as 77
applicable: 78
(i) The Health Insurance Portability and 79
Accountability Act of 1996 security requirements in 45 CFR part 80
160 and part 164 subparts A and C; 81
(ii) Title V of the Gramm-Leach-Bliley Act of 82
1999, Public Law 57 No. 106-102, as amended, and the implementing 83
regulations; 84
(iii) The Federal Information Security 85
Modernization Act of 2014, Public Law No. 113-283; or 86
(iv) The Health Information Technology for 87
Economic and Clinical Health Act requirements in 45 CFR parts 160 88
and 164. 89
(4) A covered entity's or third-party agent's alignment with 90
a framework or standard under subsection (3)(a) or (b) of this 91
section, may be demonstrated by providing documentation or other 92
evidence of an assessment, conducted internally or by a third 93
party, reflecting that the covered entity's or third-party agent's 94
cybersecurity program is substantially aligned with the relevant 95
S. B. No. 2410 *SS08/R1159* ~ OFFICIAL ~
26/SS08/R1159
PAGE 5 (ens\tb)
framework or standard or with the applicable state or federal law 96
or regulation. 97
(5) The scale and scope of substantial alignment with a 98
standard, law or regulation under subsection (3)(a) or (b) of this 99
section by a covered entity or third-party agent, as applicable, 100
is appropriate if it is based on all of the following factors: 101
(a) The size and complexity of the covered entity or 102
third-party agent; 103
(b) The nature and scope of the activities of the 104
covered entity or third-party agent; 105
(c) The sensitivity of the information to be protected; 106
(d) The cost and availability of tools to improve 107
information security and reduce vulnerabilities; and 108
(e) The resources available to the covered entity. 109
(6) Any commercial entity or third-party agent covered by 110
subsection (3) of this section which substantially complies with a 111
combination of industry-recognized cybersecurity frameworks or 112
standards to gain the presumption against liability pursuant to 113
subsection (3) of this section must, upon the revision of two (2) 114
or more of the frameworks or standards with which the entity 115
complies, adopt the revised frameworks or standards within one (1) 116
year after the latest publication date or latest compliance or 117
effective date stated in the revisions and, if applicable, comply 118
with the Payment Card Industry Data Security Standard (PCI DSS). 119
S. B. No. 2410 *SS08/R1159* ~ OFFICIAL ~
26/SS08/R1159
PAGE 6 (ens\tb)
(7) In a civil action in connection with a cybersecurity 120
incident, if the defendant is an entity covered by subsection (2) 121
of this section, the plaintiff shall have the initial burden of 122
demonstrating that the entity was not in substantial compliance 123
with this section. 124
(8) In a civil action in connection with a cybersecurity 125
incident, if the defendant is an entity under subsection (3) of 126
this section, the defendant has the burden of proof to establish a 127
prima facie case of compliance with industry-recognized 128
cybersecurity frameworks or standards to gain the presumption 129
against liability pursuant to this act. After the defendant meets 130
its initial burden, the burden of proof will then shift to the 131
plaintiff to overcome this presumption against liability by 132
proving that the defendant failed to substantially comply with 133
applicable industry-recognized cybersecurity frameworks or 134
standards. 135
(9) This act does not establish a private cause of action, 136
including a class action, nor does it diminish any previously 137
established cause of action, if a covered entity or third-party 138
agent fails to comply with a provision of this act. 139
(10) Failure of a county, municipality, county hospital, 140
other political subdivision of the state, or covered entity to 141
substantially implement a cybersecurity program that is in 142
compliance with this section is not evidence of negligence and 143
does not constitute negligence per se. 144
S. B. No. 2410 *SS08/R1159* ~ OFFICIAL ~
26/SS08/R1159
PAGE 7 (ens\tb)
ST: Cybersecurity; limit liability for
governmental and certain commercial entities
that substantially comply with standards.
(11) A choice of law provision in an agreement that 145
designates this state as the governing law shall apply to this 146
act, if applicable, to the fullest extent possible in a civil 147
action brought against a person regardless of whether the civil 148
action is brought in this state or another state. 149
(12) This section shall apply to any civil action filed on 150
or after July 1, 2026. 151
SECTION 2. This act shall take effect and be in force from 152
and after July 1, 2026. 153