US Cybersecurity Safe Harbor Laws by State: All Current Legislation

To encourage businesses to take action and secure their IT infrastructure, several US states are trying a new tactic: cybersecurity safe harbor laws offer companies legal protection in the wake of hacks and data breaches, as long as they have implemented a cybersecurity program that reasonably conforms to established standards like the NIST Cybersecurity Framework or ISO 27001. To put it simply, as long as your organization can prove that you had appropriate safety measures in place at the time of an attack, you are protected from legal claims and privacy lawsuits that would normally result from a data breach.

Read on to learn more about cybersecurity safe harbor laws in the US, including which states currently have safe harbor laws in place and how your business can reach the necessary level of IT security to qualify for protection.

Cybersecurity safe harbor laws are legislative acts designed to encourage businesses and organizations to take voluntary action and improve their cybersecurity. They do this by offering an incentive to companies that meet the specific requirements of a safe harbor law: an affirmative legal defense against lawsuits following a security incident. The extents of this protection vary from law to law, but the most common example is protection from tort claims that allege a lack of reasonable cybersecurity controls.

Laws like these are a relatively new phenomenon, with Ohio being the first state to establish a safe harbor as part of the Ohio Data Protection Act in 2018. Since then, three more US states have passed similar legislation and more are likely to follow. The topic of cybersecurity has received a lot of political attention following the Colonial Pipeline hack in May of 2021. Safe harbor laws, which provide positive incentives for implementing security standards, compliment stricter regulations such as the Executive Order on Improving the Nation’s Cybersecurity.

In order to rely on the affirmative legal defense offered by safe harbor laws, businesses must “create, maintain and comply with a written cybersecurity program” that “conforms to an industry recognized cybersecurity framework“.

The reason lawmakers defer to industry standards instead of including a specific list of requirements is that digital technology and threats are constantly changing. Cybersecurity frameworks are regularly updated to reflect new developments, referencing them therefore removes the need to constantly change the law to keep up.

Despite minor variations, all currently existing cybersecurity safe harbor law recognize the same list of frameworks:

Additional requirements include that a cybersecurity program must be of appropriate scale and scope to the organization and be designed to protect personal and restricted information from both outside threats and unauthorized access. Similarly, organizations are required to update their program within a certain timeframe if the law or standard it is based on is revised.

The topic of IT security is more relevant than ever in our increasingly interconnected society and economy. However, the way we discuss matters of cybersecurity tends to be incredibly punitive: the financial damages caused by a ransomware attack, the cost of restoring your network, the fines and settlements for data breaches, etc. While this approach is meant to highlight the importance of safety measures and scare people into action, it can actually have the opposite effect.

Think about it: You’re faced with a highly complex issue and told that making the wrong decision can have grave consequences. In this scenario, it’s not hard to see why an organization might feel tempted to do the absolute minimum, kick the can down the road or ignore the risk entirely. Obviously, “let’s wait and see” is not an effective approach to cybersecurity, but the temptation is understandable.

Safe harbor laws are meant to solve this problem and encourage businesses to deal with cybersecurity ahead of time rather than waiting until the worst comes to pass. By offering an incentive in the form of legal protection rather than a punishment (like a fine), they provide additional motivation for adopting IT safety standards. Especially when paired with traditional regulations and mandates.

Bill HR 7898, also known as the HIPAA Safe Harbor Act, was officially signed into law in January of 2021. Similar to the state laws covered in this article, it is meant to incentivize the use of cybersecurity standards in the healthcare industry. However, it does not extend the same level of broad legal protection.

As an amendment to HIPAA, the bill requires HHS to take existing safety measures into account when investigating breaches. A covered entity that has followed “recognized security practices” like the NIST Cybersecurity Framework for at least 12 months will see lower fines and shorter audits if an incident does occur. Importantly, the reverse is not true and organizations that do not follow a specific industry standard will not receive higher fines as a result of this change.

At first glance, cybersecurity safe harbor laws have a lot in common with cyber insurance: Both require companies to adopt reasonable security measures in order to qualify and both offer protection in the case of an incident, data breach or cyberattack.

However, it’s worth noting that safe harbor laws only apply to very specific cases like tort claims made against your company. Depending on the policy you choose, cyber insurance can protect you from both first- and third-party damages that result from a cyberattack. This means that everything from restoring your network, the revenue lost during your downtime and even the cost of legal fees and settlements is covered.

So while safe harbor laws might offer legal protection, cyber insurance is still an important addition to your company’s risk management strategy in order to protect it from the direct damages caused by hacks or malware attacks.

Despite their similar name, cybersecurity safe harbor laws have nothing to do with the Safe Harbor Privacy Principles, a now defunct agreement between the EU and the US regarding the transfer of consumer data. Whereas cybersecurity laws offer a safe harbor to companies that implement adequate protection, the Privacy Principles were concerned with the question of whether the personal data of EU citizens was sufficiently protected in the US.

The agreement was struck down in 2015 and replaced with the EU-US Privacy Shield, though negotiations and legal challenges are ongoing.

Connecticut’s safe harbor law, formally known as An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses (HB 6607), was signed into law on July 6 2021 and went into effect on October 1, 2021.

The act protects businesses from punitive damages in any tort cases that allege that the breach was caused by “a failure to implement reasonable cybersecurity controls.” However, it does not apply in cases where the failure to implement was due to “gross negligence or wilful or wanton conduct.”

In 2023, Iowa became the latest state to pass a cybersecurity safe harbor law with the Act Relating to Affirmative Defenses for Entities Using Cybersecurity Programs (House File 553). The bill was signed on May 3 and went into effect on July 1, 2023.

Entities that want to seek an affirmative defense under the act must follow a “written cybersecurity program that contains administrative, technical, operational, and physical safeguards for the protection of both personal information and restricted information.” In terms of industry-recognized frameworks, Iowa lists the same standards as previous laws: NIST, HIPAA, FISMA, GLBA, ISO and so on.

There are two differences that set the Iowa act apart from previous safe harbor laws: First, it covers not only breaches of personal information but also some forms of business data (specifically, restricted information). Second, while laws generally state that cybersecurity programs should be of an appropriate scale, the Iowa act specifies that the scope of a program “is appropriate if the cost to operate [it] is no less than the covered entity’s most recently calculated maximum probably loss value.”

The Ohio Data Protection Act of 2018 (Senate Bill 220) is the earliest safe harbor law for data breaches in the US. It amended various passages of Title 13 of the Ohio Revised Code (“Commercial Transactions”) to offer companies protection in the form of an “affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach.” The law does not include exceptions for negligence.

The Oklahoma Hospital Cybersecurity Protection Act of 2023 (House Bill 2790) carves out an affirmative legal defense against tort cases for any covered entity whose cybersecurity program reasonably conforms to industry-recognized frameworks, addresses all relevant security needs and is appropriate to the size, scope and nature of the organization. However, as the name suggests, this act only applies to hospitals.

The Tennessee Information Protection Act is a privacy law that enshrines a number of protections for Tennessee residents when it comes to their personal data, from the ability to opt out of having their information processed to requesting copies or the deletion of personal data. TIPA is also notable for being among the first privacy laws to include a safe harbor provision: By creating a written privacy program that conforms to the NIST privacy framework or a similar standard, organizations can defend against legal claims arising from future violations.

Utah’s Cybersecurity Affirmative Defense Act was signed into law on March 11, 2021. It offers an affirmative defense against claims that allege failure to implement reasonable information security controls, failure to appropriately respond to a breach or failure to notify affected individuals. To match these broad protections, the act also sets a higher bar for entities looking to qualify.

For instance, in order to count as a reasonable security program, it must include risk assessments and procedures to detect, prevent and respond to breaches. Additionally, companies must assign an employee to coordinate the program and take measures to train employees in the necessary safety practices. The act also includes several exceptions, such as if an entity had notice of a threat and did not act in a reasonable amount of time.

If you would like to improve the cybersecurity of your organization and meet the requirements of your local safe harbor law, the first step is to choose an established framework you would like to implement. Since these documents all cover the same topic, there is significant overlap in terms of their content. However, choosing the right safety standard from the start can help you avoid having to get certified multiple times, especially if you later require a certification for other reasons.

For companies primarily doing business in the US, the NIST Cybersecurity Framework or NIST 800-53 are often the most appropriate choice. If you are competing for government contracts or working in research, NIST 800-171 will prepare you for working with controlled unclassified information. If you have clients or contractors from around the world, choosing the ISO 27000 family can have the added benefit of its international recognition. However, unless your organization is required to comply with a particular standard or federal law (such as HIPAA), the choice is ultimately up to you.

Although most people tend to think of information security as an IT topic, security frameworks typically include physical, organizational and technical safeguards. To keep data safe from manipulation and theft, it is equally important to protect it against outside forces like cyberattacks and unauthorized access from within your organization.

Insider threats and employee data theft are a particularly tricky aspect of data protection, since their own employees tend to be a blind spot for most organizations. This is just one of the reasons why limiting access to critical data according to the need-to-know or Least Privilege Principle is considered a best practice in information security.

Information security is not a singular issue, but comprises various different aspects such as network safety, intrusion detection, data backups and encryption, device and patch management or access control. Staying on top of all of these requirements is a logistical nightmare, but luckily there are dedicated tools that can help you automate various parts of your security program. Investing into automated software solutions will help you keep your data secure, while also freeing up your IT staff to deal with more productive tasks.

IAM or Identity and Access Management is one of the cornerstones of information security. By restricting access to the minimum level required for each role and eliminating outdated and unnecessary permissions, IAM solutions help businesses combat both cyberattacks and insider threats. There’s a reason why authentification and access control are key parts of every cybersecurity standard from NIST to the CIS Controls and ISO 27001.

While IAM does not cover every requirement of cybersecurity frameworks, it offers a solid foundation for improving your overall level of data protection, and it does so while saving you time and money by automating many routine tasks involved with user management.

tenfold specializes in IAM for mid-sized businesses: Our access management solution can be set up quickly, is easy to use for everyone from IT admins to HR staff and offers out-of-the-box support for various Microsoft services (like Azure AD or Microsoft 365) and third-party applications. Learn more about our philosophy, our range of plugins and why you should choose tenfold!