Read the full stored bill text
ENGR. H. B. NO. 4132 Page 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
ENGROSSED HOUSE
BILL NO. 4132 By: Steagall and Fetgatter of
the House
and
Alvord of the Senate
An Act relating to technology; providing liability
protections for counties and municipalities that
adopt recognized cybersecurity frameworks; providing
requirements for safe harbor qualification;
permitting counties and municipalities to submit
summary information to State Auditor and Inspector;
providing for codification; and providing an
effective date.
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
SECTION 1. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 1000 of Title 75A, unless there
is created a duplication in numbering, reads as follows:
A. No county or municipality shall be held liable in a civil
lawsuit for damages resulting from a data breach or cybersecurity
incident if, at the time of the breach or incident, the county or
municipality had adopted and reasonably conformed its practices to
one or more of the following frameworks:
ENGR. H. B. NO. 4132 Page 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1. The National Institute of Standards and Technology (NIST)
Cybersecurity Framework;
2. The Center for Internet Security (CIS) Critical Security
Controls; or
3. The ISO/IEC 27000 series of information security standards.
B. To qualify for safe harbor under this section, a county or
municipality shall:
1. Complete and submit an annual self-certification by the
county or municipality information technology officer or designee to
the governing body of the county or municipality affirming
conformity to the selected framework;
2. Maintain documentation and records demonstrating
implementation of cybersecurity practices, including, but not
limited to, policies, asset inventories, multifactor authentication,
patching, backups, employee training, incident response, business
continuity, and disaster recovery plans; and
3. Obtain an independent review by a qualified external
assessor not less than once every three (3) years, with the
resulting report to be retained by the county or municipality and
deemed confidential pursuant to the Oklahoma Open Records Act.
C. A county or municipality may voluntarily submit summary
information regarding its self-certification or independent review
to the State Auditor and Inspector for the purpose of statewide
benchmarking and education.
ENGR. H. B. NO. 4132 Page 3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 2. This act shall become effective November 1, 2026.
Passed the House of Representatives the 17th day of March, 2026.
Presiding Officer of the House
of Representatives
Passed the Senate the _____ day of __________, 2026.
Presiding Officer of the Senate