Cybersecurity safe harbor — state by state

A growing list of states have passed affirmative-defense laws: if you maintain a written cybersecurity program that reasonably conforms to a recognized framework (NIST, ISO 27001, CIS, etc.), and you still get breached, the court can dismiss the tort claim. These aren't insurance — they're a legal shield, only available to businesses that can prove the program existed before the incident.

Connecticut H.B. 6607 (2021). Affirmative defense against tort claims alleging failure to implement reasonable cybersecurity controls. Read more → Iowa H.F. 553 (2023). Safe harbor for businesses with a written cybersecurity program aligned to a recognized framework. Read more → Ohio S.B. 220 (2018). The first U.S. safe-harbor law of its kind — the model many subsequent states followed. Read more → Oregon S.B. 1551. Affirmative defense tied to reasonable security practices under a recognized framework. Read more → Tennessee Public Chapter 991. Safe harbor against tort claims for businesses maintaining a qualifying cybersecurity program. Read more → Texas S.B. 2610 (2025). Texas's affirmative-defense statute for businesses with a written cybersecurity program. Read more → Utah H.B. 80 (2021). Utah's Cybersecurity Affirmative Defense Act — the original safe-harbor framework Utah businesses can use as an affirmative defense. Read more →