State safe harbor statutes for cybersecurity: what they offer and how to qualify
Your business operates in Texas, Connecticut, Ohio, or Utah. You've heard there's a state law that limits your liability if you align with a recognized cybersecurity framework. You want to know whether it applies to you, what it actually protects you from, and what you have to do to qualify. The marketing copy promises a lot; the statutes themselves are more specific.
Four U.S. states currently have cybersecurity safe harbor statutes for businesses: Ohio (since 2018), Utah (since 2021), Connecticut (since 2021), and Texas (since 2025). The four statutes share a basic structure but differ in important ways: what claims they protect against, which businesses qualify, what frameworks count, and what counts as enough documentation. The differences matter. A program that qualifies in Ohio doesn't automatically qualify in Texas; a defense available in Connecticut isn't available in Utah.
This post walks through each statute and what it takes to qualify. It isn't legal advice. The statutes are real but their application to any specific business is a matter for counsel.
What every safe harbor statute does
Before the differences, the shared structure. Each of the four statutes does roughly the same thing: it offers a covered business a defense in data breach litigation if the business had a written cybersecurity program aligned with a recognized framework before the breach occurred.
The defense isn't immunity. None of the statutes prevent a plaintiff from filing a lawsuit, and none protect against every type of claim. What they offer is a way to limit certain kinds of damages or defeat certain kinds of claims if the business can prove its program qualified.
The protection is also retrospective in a particular sense: the program has to have been in place at the time of the breach. You cannot adopt a program after a breach and claim the safe harbor for that breach. Documented evidence that the program existed and was operating before the breach is the substantive requirement; the documentation is the evidence.
The four statutes also share a "scale and scope" principle. None of them require a small business to implement the same controls as a Fortune 500 company. Each statute explicitly says the program's depth should be appropriate to the size of the business, the nature of its activities, the sensitivity of the data it handles, and the resources reasonably available to it. A 12-person law practice and a 200-person manufacturer can both qualify; they don't need identical programs.
One additional nuance worth knowing. Data breach lawsuits typically plead multiple causes of action: tort claims (such as negligence or invasion of privacy), contract claims (breach of express or implied terms), and statutory claims (under state consumer protection laws, for example). The safe harbor statutes apply to specific categories of claims, generally tort-based. They do not protect against contract claims or claims arising under statute. A plaintiff who alleges both negligence and breach of contract may have one claim defeated by the safe harbor and the other proceed. This is one reason the statutes are framed as defenses or damage limitations rather than general immunity.
Ohio (Senate Bill 220, the Ohio Data Protection Act)
Ohio enacted the first state cybersecurity safe harbor in the United States. Senate Bill 220, codified at Ohio Revised Code §§1354.01 through 1354.05, took effect on November 2, 2018.
What it protects against. An affirmative defense to any tort action brought under Ohio law or in Ohio courts that alleges a business failed to implement reasonable information security controls and that the failure resulted in a data breach. The defense applies to tort claims; it does not apply to contract claims, statutory claims, or claims brought outside Ohio's jurisdiction.
Who qualifies. Any "covered entity" that accesses, maintains, communicates, or processes personal information or restricted information. The statute is broad: businesses, organizations, sole proprietorships, partnerships, and most other forms qualify.
What counts as enough. The business must create, maintain, and comply with a written cybersecurity program that "reasonably conforms" to one of several listed frameworks: the NIST Cybersecurity Framework, NIST SP 800-171, NIST SP 800-53 or 800-53a, FedRAMP, the CIS Critical Security Controls, or the ISO 27000 family. Businesses that accept payment cards can combine PCI DSS with one of the above. Regulated entities can use the cybersecurity requirements of HIPAA, GLBA, FISMA, or HITECH where applicable.
"Reasonably conforms" is meaningful. The statute does not require perfect compliance; it requires good-faith alignment. The cybersecurity program must include administrative, technical, and physical safeguards and must be scaled appropriately for the business.
Utah (Cybersecurity Affirmative Defense Act)
Utah followed in 2021. The Cybersecurity Affirmative Defense Act is codified at Utah Code §§78B-4-701 through 78B-4-706 and took effect May 5, 2021.
What it protects against. Three separate affirmative defenses, not one. The Utah statute is notable for distinguishing among different breach-related claims. The first defense covers claims that the business failed to implement reasonable information security controls. The second covers claims that the business failed to respond appropriately to a breach. The third covers claims that the business failed to appropriately notify individuals whose information was compromised. Each defense requires a written cybersecurity program in place at the time of the breach.
Who qualifies. Any "person" (broadly defined to include businesses, organizations, financial institutions, and unincorporated entities) that maintains a written cybersecurity program that reasonably conforms to a recognized framework and was in place at the time of the breach.
What counts as enough. Reasonably conforming to NIST SP 800-171, NIST SP 800-53, the ISO 27000 family, or, for regulated entities, HIPAA, GLBA, FISMA, or HITECH. Utah's framework list is slightly narrower than Ohio's; it doesn't include the NIST Cybersecurity Framework or CIS Controls directly. Programs that conform to NIST CSF or CIS Controls may still qualify if they can be shown to substantially align with one of the named frameworks.
A specific exclusion worth knowing. Utah's statute denies the affirmative defense if the business had "actual notice of a threat or hazard" and didn't take known remedial efforts within a reasonable time. Receiving a vendor's vulnerability disclosure and doing nothing is a different posture from being unaware of the threat in the first place. The statute treats actual notice as a meaningful threshold.
Connecticut (Public Act 21-119)
Connecticut enacted its safe harbor in October 2021. Public Act 21-119, formally titled "An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses," is the third state safe harbor and the most directly modeled on Ohio's.
What it protects against. Connecticut courts cannot assess punitive damages against a covered business in a tort action brought under Connecticut law or in Connecticut courts, if the business maintained a written cybersecurity program conforming to a recognized framework. The protection is narrower than Ohio's: it bars punitive damages specifically, not the underlying tort liability. A plaintiff can still pursue compensatory damages.
Who qualifies. Any business that accesses, maintains, communicates, or processes personal or restricted information through systems located in or outside Connecticut. The statute covers any business interacting with Connecticut residents' data.
What counts as enough. A written cybersecurity program with administrative, technical, and physical safeguards that conforms to a recognized framework: the NIST Cybersecurity Framework, NIST SP 800-171, NIST SP 800-53 or 800-53a, FedRAMP, the CIS Critical Security Controls, or the ISO 27000 family. The framework list mirrors Ohio's. Regulated entities can use the security requirements of HIPAA, GLBA, FISMA, or HITECH; businesses accepting payment cards can combine PCI DSS with another framework.
A specific exclusion worth knowing. Connecticut's safe harbor does not apply when the failure to implement reasonable cybersecurity controls is the result of gross negligence or willful or wanton conduct. A business that knowingly skipped basic controls can't claim the defense.
Texas (Senate Bill 2610)
Texas became the fourth state with a cybersecurity safe harbor in 2025. Senate Bill 2610 created Chapter 542 of the Texas Business and Commerce Code and took effect September 1, 2025.
What it protects against. An affirmative defense to exemplary (punitive) damages in tort actions arising from a breach of system security under Texas law. Like Connecticut, Texas protects against punitive damages specifically, not compensatory damages, regulatory enforcement actions, or class certification mechanics.
Who qualifies. Texas businesses with fewer than 250 employees that own or license computerized data containing sensitive personal information. The size cap is the most distinctive feature of the Texas statute: unlike Ohio, Utah, and Connecticut, Texas explicitly limits the safe harbor to smaller businesses.
What counts as enough. Texas SB 2610 introduced something the earlier statutes did not: scaled qualification by business size. Businesses with fewer than 20 employees can qualify with basic measures: password policies, employee security awareness, and similar foundational controls. The statute deliberately doesn't enumerate exactly which controls satisfy this band; it leaves "basic measures" to be interpreted in light of the business's size, the data it handles, and general due care. In practice, a very small Texas business should at minimum have a written password policy, a documented employee security awareness practice (annual training acknowledgment is the conventional baseline), some form of access management, and verifiable backups. Businesses with 20 to 99 employees must adopt CIS Controls Implementation Group 1 (CIS IG1), which is a specific, named foundational tier of CIS Controls. Businesses with 100 to 249 employees must adopt a more advanced framework: the NIST Cybersecurity Framework, NIST SP 800-53 or 800-171, the broader CIS Controls, ISO 27001, or FedRAMP.
Why the Texas scaling matters. The other three statutes use the "scale and scope" principle to vary the depth within any chosen framework. Texas takes a different approach: at each company-size band, a specific framework family is named as the qualifying baseline. A 40-person Texas business cannot qualify by adopting only password policies; CIS IG1 is the floor. A 150-person Texas business needs a more advanced framework than CIS IG1.
What the differences mean practically
A few practical implications for any business considering safe harbor positioning.
If you operate in more than one of these four states, your program needs to satisfy whichever statute applies to the breach in question, which usually means the state whose residents were affected or whose laws the suit was brought under. A program built to qualify in Ohio (broad framework choice, reasonable conformance) will usually also satisfy Connecticut. The same program may not satisfy Texas if the business is in the 20-249 employee range and the chosen framework isn't on Texas's specific list at the applicable size band. CIS Controls Implementation Group 1 happens to satisfy Texas's 20-99 band, all of Ohio's framework requirements, and all of Connecticut's framework requirements; for businesses operating in all three states, CIS IG1 is a clean common denominator.
If you're a regulated entity (healthcare under HIPAA, financial services under GLBA), the safe harbor statutes generally accept your regulated cybersecurity framework as qualifying, but the framework must actually cover the personal information at issue. A HIPAA security program protects protected health information; it doesn't necessarily protect other categories of personal or restricted information defined under state law. Programs may need to extend beyond the regulated baseline to cover the full data scope.
If you handle data of residents in states that don't have safe harbor statutes, you still benefit from a documented cybersecurity program: the program supports general defensibility (evidence of due care) even when no specific safe harbor applies. The four-state protection is specific; the broader defensive value of documented controls is universal.
The documentation is the substantive requirement. Each of these statutes requires a written cybersecurity program in place at the time of the breach. Verbal commitments don't qualify. Informal practices don't qualify. The program has to exist on paper, be operationally followed, and be demonstrable to a court. The work of qualifying is the work of building and maintaining that documented program, which is the same work the business should be doing for its own operational reasons regardless of safe harbor.
A self-attestation documenting the framework alignment, signed by ownership, dated, and reviewed annually, is the artifact most directly relevant to the safe harbor question. It doesn't substitute for the underlying program, but it's the documentation a court would want to see first.
If you'd rather not assemble the documented program and the self-attestation from scratch, TACSOP includes the policies, procedures, and frameworks needed to align with CIS Controls Implementation Group 1, plus a State Safe Harbor Self-Attestation template for the Texas, Connecticut, Ohio, and Utah statutes. The kit produces the documentation the statutes ask for; what's protected is what your business actually does with it. The kit is here. Consult counsel for state-specific legal questions.