Cybersecurity Safe Harbor Laws Expand Across Six States, Offering Legal Protection

New state regulations provide liability shields for businesses that implement recognized security frameworks: RIMS.
By: | October 2, 2025
cyber regulation
Six U.S. states now offer legal safe harbors that protect organizations from punitive damages following cyberattacks, provided they maintain comprehensive cybersecurity programs that conform to industry-recognized frameworks, according to a new whitepaper from RIMS.Connecticut, Iowa, Ohio, Oregon, Tennessee and Utah have enacted legislation that shields businesses from certain legal liabilities when data breaches occur, marking a significant shift in how states approach cybersecurity governance, according to the report. These laws generally require organizations to create, maintain and comply with written cybersecurity programs that include administrative, technical and physical safeguards.

The frameworks vary by state but share common elements. Ohio’s law protects organizations that reasonably conform to frameworks such as the National Institute of Standards and Technology’s cybersecurity guidelines. Iowa takes a unique approach by requiring companies to spend at least as much on their cybersecurity program as their calculated maximum probable loss from a breach, assessed annually. Tennessee’s Information Protection Act, taking effect July 1, 2025, extends protections to both data controllers and processors that implement qualifying privacy frameworks.

“Risk professionals continue to play an integral role in preparing their organizations to avoid, mitigate and recover from cyberattacks,” the report’s authors said, emphasizing that compliance must be a key component of cyber strategy for organizations operating across multiple jurisdictions.

Navigating Complex Compliance Requirements Across Jurisdictions

Organizations face the challenge of meeting diverse requirements as they expand across state lines. While most states accept compliance with established frameworks like NIST, FedRAMP, or ISO/IEC 27000-series standards, specific provisions differ significantly, according to the report. Utah requires organizations to respond to known security threats within a reasonable timeframe or lose their affirmative defense. Oregon allows companies to qualify by complying with federal information security regulations that provide greater protection than state requirements, including the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act.

The scale and scope of state requirements also vary considerably. Ohio considers factors including organization size, activity scope, information sensitivity, and available resources when determining program appropriateness. Iowa’s mathematical approach ties spending directly to risk assessment, creating a clear but potentially costly benchmark for compliance.

Strategic Opportunities for Risk Management Programs

These safe harbor provisions create incentives for organizations to strengthen their cybersecurity postures beyond mere compliance, the RIMS report said. Companies that invest in comprehensive programs aligned with recognized frameworks can operate with greater confidence, knowing they have potential legal protection if breaches occur despite their best efforts.

The report emphasizes that understanding and leveraging safe harbor laws provides “an additional layer of protection” beyond technical defenses. For risk professionals, these regulations offer a roadmap for building programs that satisfy both security needs and legal requirements. Organizations can use these guidelines to confidently enter new markets while simultaneously strengthening their overall cybersecurity defense capabilities.

At the federal level, additional protections exist through Federal Communications Commission data breach notification requirements and the SAFETY Act for government contractors, suggesting that even non-government entities might benefit from adopting similar anti-terrorism and cybersecurity measures where feasible.

“Cyberbreaches are bound to happen, so understanding and leveraging safe harbor laws can provide an additional layer of protection,” the report’s authors said. “Beyond addressing the legal damages that correspond with a cyberattack, these regulatory guidelines can provide an invaluable guide for organizations to confidently enter into new markets across the United States while, simultaneously, building a stronger, more robust cybersecurity defense.”

View the RIMS whitepaper here. &

The R&I Editorial Team can be reached at [email protected].

More from Risk & Insurance