US Cybersecurity Safe Harbor Laws by State: All Current Legislation

Getting hit by a cyberattack is a nightmare scenario for any company. Businesses not only have to deal with lost productivity and the cost of IT repairs, but could also be on the hook for fines and legal damages if any sensitive data was exposed as a result of the breach. Given this incredibly bleak scenario, many organizations would rather ignore the risk, despite a steady rise in cybercrime over the past years.

To encourage businesses to take action and secure their IT infrastructure, several US states are trying a new tactic: cybersecurity safe harbor laws offer companies legal protection in the wake of hacks and data breaches, as long as they have implemented a cybersecurity program that reasonably conforms to established standards like the NIST Cybersecurity Framework or ISO 27001. To put it simply, as long as your organization can prove that you had appropriate safety measures in place at the time of an attack, you are protected from legal claims and privacy lawsuits that would normally result from a data breach.

Read on to learn more about cybersecurity safe harbor laws in the US, including which states currently have safe harbor laws in place and how your business can reach the necessary level of IT security to qualify for protection.

What Are Cybersecurity Safe Harbor Laws?

Cybersecurity safe harbor laws are legislative acts designed to encourage businesses and organizations to take voluntary action and improve their cybersecurity. They do this by offering an incentive to companies that meet the specific requirements of a safe harbor law: an affirmative legal defense against lawsuits following a security incident. The extents of this protection vary from law to law, but the most common example is protection from tort claims that allege a lack of reasonable cybersecurity controls.

Laws like these are a relatively new phenomenon, with Ohio being the first state to establish a safe harbor as part of the Ohio Data Protection Act in 2018. Since then, three more US states have passed similar legislation and more are likely to follow. The topic of cybersecurity has received a lot of political attention following the Colonial Pipeline hack in May of 2021. Safe harbor laws, which provide positive incentives for implementing security standards, compliment stricter regulations such as the Executive Order on Improving the Nation’s Cybersecurity.

Note: An affirmative legal defense does not necessarily stop your company from being sued, but will likely lead to the dismissal of the lawsuit and thus generally discourages legal action.

Requirements and Acceptable Frameworks

In order to rely on the affirmative legal defense offered by safe harbor laws, businesses must “create, maintain and comply with a written cybersecurity program” that “conforms to an industry recognized cybersecurity framework“.

The reason lawmakers defer to industry standards instead of including a specific list of requirements is that digital technology and threats are constantly changing. Cybersecurity frameworks are regularly updated to reflect new developments, referencing them therefore removes the need to constantly change the law to keep up.

Despite minor variations, all currently existing cybersecurity safe harbor law recognize the same list of frameworks:

Additional requirements include that a cybersecurity program must be of appropriate scale and scope to the organization and be designed to protect personal and restricted information from both outside threats and unauthorized access. Similarly, organizations are required to update their program within a certain timeframe if the law or standard it is based on is revised.

White paper

NIST-Compliant Access Control With tenfold

Download our compliance guide to learn which access control measures are required by the NIST CSF and SP 800 series and how tenfold helps you implement them!

How Can Safe Harbor Laws Improve Cybersecurity?

The topic of IT security is more relevant than ever in our increasingly interconnected society and economy. However, the way we discuss matters of cybersecurity tends to be incredibly punitive: the financial damages caused by a ransomware attack, the cost of restoring your network, the fines and settlements for data breaches, etc. While this approach is meant to highlight the importance of safety measures and scare people into action, it can actually have the opposite effect.

Think about it: You’re faced with a highly complex issue and told that making the wrong decision can have grave consequences. In this scenario, it’s not hard to see why an organization might feel tempted to do the absolute minimum, kick the can down the road or ignore the risk entirely. Obviously, “let’s wait and see” is not an effective approach to cybersecurity, but the temptation is understandable.

Safe harbor laws are meant to solve this problem and encourage businesses to deal with cybersecurity ahead of time rather than waiting until the worst comes to pass. By offering an incentive in the form of legal protection rather than a punishment (like a fine), they provide additional motivation for adopting IT safety standards. Especially when paired with traditional regulations and mandates.

CEO and employees at company meeting for safety education and practice.
Safe harbor laws reward companies that take voluntary action to improve IT security. Adobe Stock, (c)

HIPAA Safe Harbor Provision

Bill HR 7898, also known as the HIPAA Safe Harbor Act, was officially signed into law in January of 2021. Similar to the state laws covered in this article, it is meant to incentivize the use of cybersecurity standards in the healthcare industry. However, it does not extend the same level of broad legal protection.

As an amendment to HIPAA, the bill requires HHS to take existing safety measures into account when investigating breaches. A covered entity that has followed “recognized security practices” like the NIST Cybersecurity Framework for at least 12 months will see lower fines and shorter audits if an incident does occur. Importantly, the reverse is not true and organizations that do not follow a specific industry standard will not receive higher fines as a result of this change.

Risk Management Through Cyber Insurance

At first glance, cybersecurity safe harbor laws have a lot in common with cyber insurance: Both require companies to adopt reasonable security measures in order to qualify and both offer protection in the case of an incident, data breach or cyberattack.

However, it’s worth noting that safe harbor laws only apply to very specific cases like tort claims made against your company. Depending on the policy you choose, cyber insurance can protect you from both first- and third-party damages that result from a cyberattack. This means that everything from restoring your network, the revenue lost during your downtime and even the cost of legal fees and settlements is covered.

So while safe harbor laws might offer legal protection, cyber insurance is still an important addition to your company’s risk management strategy in order to protect it from the direct damages caused by hacks or malware attacks.

Difference to Safe Harbor Privacy Principles

Despite their similar name, cybersecurity safe harbor laws have nothing to do with the Safe Harbor Privacy Principles, a now defunct agreement between the EU and the US regarding the transfer of consumer data. Whereas cybersecurity laws offer a safe harbor to companies that implement adequate protection, the Privacy Principles were concerned with the question of whether the personal data of EU citizens was sufficiently protected in the US.

The agreement was struck down in 2015 and replaced with the EU-US Privacy Shield, though negotiations and legal challenges are ongoing.

Map of US states hovering over keyboard of an employee computer.
Learn which US states currently have cybersecurity safe harbor laws in place! Adobe Stock, (c) Pixels Hunter

List of Cybersecurity Safe Harbor Laws by State

Connecticut: Incentivizing the Adoption of Cybersecurity Standards

Connecticut’s safe harbor law, formally known as An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses (HB 6607), was signed into law on July 6 2021 and went into effect on October 1, 2021.

The act protects businesses from punitive damages in any tort cases that allege that the breach was caused by “a failure to implement reasonable cybersecurity controls.” However, it does not apply in cases where the failure to implement was due to “gross negligence or wilful or wanton conduct.”

Iowa: Affirmative Defense for Entities Using Cybersecurity Programs

In 2023, Iowa became the latest state to pass a cybersecurity safe harbor law with the Act Relating to Affirmative Defenses for Entities Using Cybersecurity Programs (House File 553). The bill was signed on May 3 and went into effect on July 1, 2023.

Entities that want to seek an affirmative defense under the act must follow a “written cybersecurity program that contains administrative, technical, operational, and physical safeguards for the protection of both personal information and restricted information.” In terms of industry-recognized frameworks, Iowa lists the same standards as previous laws: NIST, HIPAA, FISMA, GLBA, ISO and so on.

There are two differences that set the Iowa act apart from previous safe harbor laws: First, it covers not only breaches of personal information but also some forms of business data (specifically, restricted information). Second, while laws generally state that cybersecurity programs should be of an appropriate scale, the Iowa act specifies that the scope of a program “is appropriate if the cost to operate [it] is no less than the covered entity’s most recently calculated maximum probably loss value.”

Ohio: Data Protection Act

The Ohio Data Protection Act of 2018 (Senate Bill 220) is the earliest safe harbor law for data breaches in the US. It amended various passages of Title 13 of the Ohio Revised Code (“Commercial Transactions”) to offer companies protection in the form of an “affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach.” The law does not include exceptions for negligence.

Oklahoma: Hospital Cybersecurity Protection Act

The Oklahoma Hospital Cybersecurity Protection Act of 2023 (House Bill 2790) carves out an affirmative legal defense against tort cases for any covered entity whose cybersecurity program reasonably conforms to industry-recognized frameworks, addresses all relevant security needs and is appropriate to the size, scope and nature of the organization. However, as the name suggests, this act only applies to hospitals.

Tennessee: Information Protection Act

The Tennessee Information Protection Act is a privacy law that enshrines a number of protections for Tennessee residents when it comes to their personal data, from the ability to opt out of having their information processed to requesting copies or the deletion of personal data. TIPA is also notable for being among the first privacy laws to include a safe harbor provision: By creating a written privacy program that conforms to the NIST privacy framework or a similar standard, organizations can defend against legal claims arising from future violations.

Utah: Cybersecurity Affirmative Defense Act

Utah’s Cybersecurity Affirmative Defense Act was signed into law on March 11, 2021. It offers an affirmative defense against claims that allege failure to implement reasonable information security controls, failure to appropriately respond to a breach or failure to notify affected individuals. To match these broad protections, the act also sets a higher bar for entities looking to qualify.

For instance, in order to count as a reasonable security program, it must include risk assessments and procedures to detect, prevent and respond to breaches. Additionally, companies must assign an employee to coordinate the program and take measures to train employees in the necessary safety practices. The act also includes several exceptions, such as if an entity had notice of a threat and did not act in a reasonable amount of time.

For more information on new IT laws and the latest changes, please consult this overview of cybersecurity legislation by the National Conference of State Legislatures.

Lock hovering over hand, symbolic image for safety measures to protect critical information and private networks.
Upgrade your IT safeguards to be covered by cybersecurity safe harbor laws. Adobe Stock, (c) Ivan

How to Qualify for Cybersecurity Safe Harbor Laws

Choose an Established Standard to Follow

If you would like to improve the cybersecurity of your organization and meet the requirements of your local safe harbor law, the first step is to choose an established framework you would like to implement. Since these documents all cover the same topic, there is significant overlap in terms of their content. However, choosing the right safety standard from the start can help you avoid having to get certified multiple times, especially if you later require a certification for other reasons.

For companies primarily doing business in the US, the NIST Cybersecurity Framework or NIST 800-53 are often the most appropriate choice. If you are competing for government contracts or working in research, NIST 800-171 will prepare you for working with controlled unclassified information. If you have clients or contractors from around the world, choosing the ISO 27000 family can have the added benefit of its international recognition. However, unless your organization is required to comply with a particular standard or federal law (such as HIPAA), the choice is ultimately up to you.

Familiarize Yourself With Its Requirements

Although most people tend to think of information security as an IT topic, security frameworks typically include physical, organizational and technical safeguards. To keep data safe from manipulation and theft, it is equally important to protect it against outside forces like cyberattacks and unauthorized access from within your organization.

Insider threats and employee data theft are a particularly tricky aspect of data protection, since their own employees tend to be a blind spot for most organizations. This is just one of the reasons why limiting access to critical data according to the need-to-know or Least Privilege Principle is considered a best practice in information security.

Find Appropriate Software Solutions

Information security is not a singular issue, but comprises various different aspects such as network safety, intrusion detection, data backups and encryption, device and patch management or access control. Staying on top of all of these requirements is a logistical nightmare, but luckily there are dedicated tools that can help you automate various parts of your security program. Investing into automated software solutions will help you keep your data secure, while also freeing up your IT staff to deal with more productive tasks.

Meet Cybersecurity Standards With tenfold IAM

IAM or Identity and Access Management is one of the cornerstones of information security. By restricting access to the minimum level required for each role and eliminating outdated and unnecessary permissions, IAM solutions help businesses combat both cyberattacks and insider threats. There’s a reason why authentification and access control are key parts of every cybersecurity standard from NIST to the CIS Controls and ISO 27001.

While IAM does not cover every requirement of cybersecurity frameworks, it offers a solid foundation for improving your overall level of data protection, and it does so while saving you time and money by automating many routine tasks involved with user management.

tenfold specializes in IAM for mid-sized businesses: Our access management solution can be set up quickly, is easy to use for everyone from IT admins to HR staff and offers out-of-the-box support for various Microsoft services (like Azure AD or Microsoft 365) and third-party applications. Learn more about our philosophy, our range of plugins and why you should choose tenfold!

White paper

Identity & Access Management Solutions Compared

Our white paper will help you navigate the IAM market, familiarize you with available products and explain key questions to ask yourself when evaluating IAM solutions.

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.