In response to the growing threat of cybersecurity attacks, some state legislatures are creating incentives for private-sector companies to strengthen their cybersecurity practices. Those incentives include safe harbor laws authorizing companies facing data breach litigation to assert an affirmative defense against liability if the company can establish that it maintained an information security program that conforms to recognized standards. These policies have the goal of encouraging companies to adopt cybersecurity best practices, even in sectors that do not currently have specific cybersecurity requirements. The following provides an overview of these policies enacted by several states.
Ohio was the first state to enact a data security safe harbor law. Enacted in 2018, Ohio Rev. Code § 1354.02 provides an affirmative defense to tort claims alleging that an entity's failure to implement reasonable information security controls resulted in a data breach involving personal information if the entity implements a written cybersecurity program that reasonably conforms to an industry-recognized cybersecurity framework. Ohio listed the following examples of such recognized frameworks: (1) NIST Cybersecurity Framework; (2) NIST SP 800-171; (3) NIST SP 800-53 and 800-53a; (4) FedRAMP; (5) CIS Critical Security Controls; and (6) ISO 27000 series. Ohio also recognizes the Payment Card Industry Data Security Standard (PCI-DSS), as well as the existing data security regulations under HIPAA for health care entities and the Gramm-Leach-Bliley Act for financial institutions.
Utah enacted Utah Code § 78B-4-701 in 2021, which is similar in spirit to Ohio's law but with some modifications. Utah expands the scope of the affirmative defense to include claims alleging that a person did any of the following if the person "reasonably complies" with a "recognized cybersecurity framework": (1) "failed to implement reasonable information security controls that resulted in the breach of system security" without limiting it to claims sounding in tort; (2) "failed to appropriately respond to a breach of system security"; and (3) "failed to appropriately notify an individual whose personal information was compromised in a breach of system security." Utah lists the same recognized frameworks as Ohio.
Utah creates an exception to the availability of the affirmative defense where the person "had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information" and "did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard." Utah limits "actual notice" by stating that "a risk assessment to improve the security, confidentiality, or integrity of personal information is not an actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information."
Connecticut enacted Conn. Gen. Stat. § 42-901 in 2021, which provides an affirmative defense only to "punitive damages" but not to liability altogether. Otherwise, Connecticut's law follows Ohio's model.
Iowa enacted Iowa Code Ann. § 554G.2 in 2023, which is similar in spirit to Ohio's law in that it provides an affirmative defense to tort claims arising out of a data breach if the company implements a written cybersecurity program that reasonably conforms to an industry-recognized framework. However, Iowa departs from Ohio's model by introducing the concept of "maximum probable loss," meaning the total value of possible damage multiplied by the probability of the event occurring. Iowa then requires companies to invest at least that much into their cybersecurity program to qualify for the affirmative defense.
Oklahoma enacted 18 Ok. Stat. § 2070 in 2023, which creates a safe harbor that is limited to hospitals. The safe harbor provides an affirmative defense against tort claims arising out of a data breach if the hospital can demonstrate reasonable conformance with HIPAA and HITECH's data security regulations.
Tennessee passed HB 2434, effective May 21, 2024, which provides the following: "a private entity is not liable in a class action lawsuit resulting from a cybersecurity event unless the cybersecurity event was caused by willful and wanton misconduct or gross negligence on the part of the private entity." Notably, the law is limited to class actions and has no bearing on individual suits.
Possible Future State Legislation
The West Virginia Legislature passed a similar data security safe
harbor law in 2024, but it was vetoed by Governor James Conley
Justice II . The governor expressed support for the law's
intent, but he cited concerns regarding how the law as drafted
might apply to claims against social media companies. The West
Virginia Legislature may come forward with a revised bill to
address the governor's concerns.
In Florida, the legislature passed a similar safe harbor law in March 2024 that is awaiting Governor Ron DeSantis's signature. A veto remains a possibility for Florida's law as well.
Cybersecurity Best Practices
These laws are part of the public policy response to the growing
threat of cybersecurity attacks by encouraging companies to
strengthen their cybersecurity practices. These laws that
incentivize best practices stand in contrast to laws such as
California's CCPA that creates a private right of action for
individuals whose personal information was affected by a data
breach and authorizes those individuals to recover between $100 to
$750 per violation. Cal. Civ. Code § 1798.150.
It has never been more important for companies to evaluate their
cybersecurity posture and implement best practices. Companies have
options, as there are numerous industry standards they can follow
to strengthen their networks against attacks. Wilson Elser's
experienced data security attorneys can support companies as they
strengthen their cybersecurity practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.