This bill establishes liability protections for counties and municipalities in Oklahoma that adopt recognized cybersecurity frameworks, such as the NIST Cybersecurity Framework, CIS Critical Security Controls, or the ISO/IEC 27000 series. Specifically, it stipulates that these entities will not be held liable in civil lawsuits for damages resulting from data breaches or cybersecurity incidents, provided they have conformed their practices to one or more of these frameworks at the time of the incident. To qualify for this safe harbor, counties and municipalities must complete an annual self-certification, maintain comprehensive documentation of their cybersecurity practices, and undergo an independent review by a qualified external assessor at least once every three years.

Additionally, the bill allows counties and municipalities to voluntarily submit summary information regarding their self-certification or independent review to the State Auditor and Inspector for statewide benchmarking and educational purposes. The act is set to take effect on November 1, 2026.