Reducing Your Exposure: Liability Limitations for Cybersecurity-Compliant Organizations

What You Need to Know

Key takeaway #1
A growing number of states have enacted laws that limit civil liability for organizations that maintain qualifying cybersecurity programs. Designed to incentivize proactive cybersecurity investment, safe harbor laws can materially reduce legal exposure and change potential liability profiles following an incident.
Key takeaway #2
The protections offered by state cybersecurity safe harbors can be significant, but it’s important to consider the limitations provided by such protections. Qualifying organizations may avoid punitive damages, class action exposure, or broader tort liability. However, safe harbor laws passed to date do not eliminate all liability risk, including breach notifications and statutory duties, government and regulatory enforcement, or contractual liability.
Key takeaway #3
Qualifying for a safe harbor is not always straightforward. Requirements vary by state and may include a formal written program or adherence to a recognized industry framework, among others. Organizations should evaluate their operations across applicable states and determine how they can best avail themselves of the respective laws.

Client Alert | 7 min read | 04.02.26

Organizations facing cyber incidents increasingly encounter follow-on civil litigation alleging failures to implement reasonable security measures. In response, a growing number of states — the most recent being Oklahoma this year — have enacted safe harbor laws designed to both protect consumers and reward organizations that take a proactive, documented, and structured approach to cyber threats.

The safe harbor provisions for companies that adopt cybersecurity frameworks prescribed by state law fall into three broad categories:

An affirmative defense against claims following a cybersecurity event.
Class action protections in ensuing litigation.
Damages limitations or exclusions.

The Affirmative Defense Option

States in this group allow a qualifying organization to raise compliance as a defense in litigation following a cybersecurity breach. The scope of the defense varies by state, and while some apply to any claim, others are limited to tort claims or actions under a specific statute:

State & Law	Effective Date	Who’s Covered	Key Requirements	Safe Harbor
Oklahoma — Security Breach Notification Act	Jan. 1, 2026	Individuals or entities that own, license, or maintain computerized data that includes personal information.	Use “reasonable safeguards” and provide breach notice as required by the act.	Not subject to civil penalties and may use compliance as an affirmative defense in a civil action filed under the act.
Iowa — Iowa Code Chapter 554G: Tort Liability - Cybersecurity Programs	July 1, 2023	Covered entities, meaning businesses that access, receive, store, maintain, communicate, or process personal information or restricted information in or through one or more systems, networks, or services located in or outside Iowa.	Create, maintain, and comply with a written cybersecurity program, containing administrative, technical, operational, and physical safeguards, that reasonably conforms to an industry-recognized cybersecurity framework as specified in the act.	Affirmative defense to any tort claim alleging that failure to implement reasonable information security controls resulted in a data breach of personal information or restricted information.
Utah — Utah Code §§ 78B-4-701 to 706: Cybersecurity Affirmative Defense Act	May 5, 2021	Any person, meaning an individual, association, corporation, joint stock company, partnership, business trust, or unincorporated organization, including financial institutions.	Create, maintain, and reasonably comply with a written cybersecurity program, in place at the time of a breach, containing administrative, technical, and physical safeguards for personal information, that reasonably conforms to an industry-recognized cybersecurity framework as specified in the act.	Affirmative defense to any claim brought under the laws of Utah alleging that the person failed to implement reasonable information security controls, failed to appropriately respond to a breach, or failed to appropriately notify affected individuals of a breach, provided the cybersecurity program included response and notification protocols that were followed.
Ohio — Ohio Revised Code Chapter 1354: Businesses Maintaining Recognized Cybersecurity Programs	Nov. 2, 2018	Covered entities, meaning businesses that access, maintain, communicate, or process personal information or restricted information in or through one or more systems, networks, or services located in or outside Ohio.	Create, maintain, and comply with a written cybersecurity program containing administrative, technical, and physical safeguards for the protection of personal information, or both personal information and restricted information, that reasonably conforms to an industry-recognized cybersecurity framework as specified in the act, scaled to the size and complexity of the entity, the nature and scope of its activities, the sensitivity of the information held, and the cost and availability of tools and resources available to the entity.	Affirmative defense to any tort cause of action brought under the laws of Ohio alleging that failure to implement reasonable information security controls resulted in a data breach of personal information, or both personal information and restricted information, depending on the scope of the entity’s cybersecurity program.

The Class Action Liability Shield

States in this group protect a qualifying organization from class action liability arising out of a cybersecurity event:

State & Law	Effective Date	Who’s Covered	Key Requirements	Safe Harbor
Nebraska — Nebraska Revised Statute 87-1201: Cybersecurity Event; Liability of Private Entity	Sept. 3, 2025	Private entities, meaning corporations, religious or charitable organizations, associations, partnerships, limited liability companies, limited liability partnerships, or other private business entities, whether organized for-profit or not-for-profit.	Do not engage in willful, wanton, or gross negligence in connection with a cybersecurity event.	Not liable in a class action resulting from a cybersecurity event, unless the cybersecurity event was caused by willful, wanton, or gross negligence on the part of the private entity.
Tennessee — Tennessee Code Annotated, Title 29, Chapter 34, Part 2	May 21, 2024	Private entities, meaning corporations, religious or charitable organizations, associations, partnerships, limited liability companies, limited liability partnerships, or other private business entities, whether organized for-profit or not-for-profit.	Do not engage in willful and wanton misconduct or gross negligence in connection with a cybersecurity event.	Not liable in a class action lawsuit resulting from a cybersecurity event.

The Damages Cap or Exclusion

States in this group protect a qualifying organization from specific categories of damages, including exemplary, punitive, or general damages:

State & Law	Effective Date	Who’s Covered	Key Requirements	Safe Harbor
Texas — Business & Commerce Code: Chapter 542. Cybersecurity Program	Sept. 1, 2025	Texas business entities with fewer than 250 employees that own or license computerized sensitive personal information.	Implement and maintain a cybersecurity program containing administrative, technical, and physical safeguards and conforming to an industry-recognized cybersecurity framework, scaled to the size of the business entity.	Protects a covered business entity from exemplary damages arising from a breach of system security.
Connecticut — Public Act No. 21-119: An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses	Oct. 1, 2021	Covered entities, meaning businesses that access, maintain, communicate, or process personal information or restricted information in or through one or more systems, networks, or services located in or outside Connecticut.	Create, maintain, and comply with a written cybersecurity program, containing administrative, technical, and physical safeguards for the protection of personal or restricted information, that conforms to an industry-recognized cybersecurity framework, and design the program in accordance with the statutory requirements.	Protects a covered entity from an award of punitive damages in any tort action alleging that failure to implement reasonable cybersecurity controls resulted in a data breach, unless the failure was the result of gross negligence or willful or wanton conduct.
Nevada — Nevada Revised Statutes Chapter 603A.215: Security Measures for Data Collector that Accepts Payment Card; Use of Encryption; Liability for Damages; Applicability	Jan. 1, 2010 (amended in 2011)	Any governmental agency, institution of higher education, corporation, financial institution, retail operator, or other business entity or association doing business in Nevada that handles, collects, disseminates, or otherwise deals with nonpublic personal information.	If accepting payment cards: comply with the current version of the PCI Data Security Standard. If not accepting payment cards: use encryption when transferring personal information via electronic, non-voice transmission outside the data collector’s secure system, or when moving any data storage device containing personal information beyond the logical or physical controls of the data collector.	Not liable for damages for a breach of the security of the system data, provided the data collector is in compliance with the statute and the breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees, or agents.

Practical Considerations for Your Cyber Program

As businesses increasingly begin to realize that cybersecurity incidents are not an “if,” but rather a “when” proposition, safe harbor laws reward organizations that take a proactive, documented, and structured approach to cyber threats.
Organizations may use these laws to assert affirmative defenses, set “reasonableness” standards in civil litigation, and establish strong litigating positions that may be conducive to early settlement discussions.
Abiding by standards set in safe harbor provisions can also influence how courts and regulators in that state determine baseline cybersecurity compliance and potential negligence by an organization.
For companies that implement cybersecurity standards in line with safe harbors, these organizations may be in stronger positions to argue for reduced penalties or narrower remedies outside of the statutory protections.
Qualifying for these protections requires careful attention to several considerations, including: selecting the correct framework that aligns with your organization’s size, industry, and risk profile; ensuring your program is appropriately scaled and covers the right categories of information; maintaining written incident response and notification protocols that are actually followed; and keeping pace with updates to your adopted framework over time.
Achieving safe harbor protection is not a one-time exercise. Several of the state laws reference or incorporate cybersecurity frameworks that require ongoing evaluations to ensure effective measures.
Safe harbors will not apply if there are gaps in implementation, “paper” compliance, or misleading disclosures or control failures.
Safe harbor laws are not a guarantee against liability. Most are limited to certain claim types and often contain important carve-outs that can eliminate the protection entirely, depending on the circumstances.
Safe harbors also do not prevent lawsuits from being filed. However, while they still may have to litigate, companies that implement cybersecurity measures that conform to safe harbor requirements may have stronger arguments at trial or can avoid more onerous penalties or damages.
Each state implements its safe harbor differently and organizations operating across multiple states should conduct cross-jurisdictional gap analyses, because a program sufficient for safe harbor protection in one state may fall short in another.

If you would like to discuss how these laws apply to your organization or assess your current cybersecurity program against applicable safe harbor requirements, please contact Crowell & Moring.

Contacts

Rajeev Raghavan
Partner
- Washington, D.C.
  - D | +1.202.624.2609
cnJhZ2hhdmFuQGNyb3dlbGwuY29t
Anthony Sciuto
Associate
- Chicago
  - D | +1.312.840.3140
YXNjaXV0b0Bjcm93ZWxsLmNvbQ==
Jacob Canter
Counsel
He/Him/His
- San Francisco
  - D | +1.415.365.7210
amNhbnRlckBjcm93ZWxsLmNvbQ==

Insights

Client Alert | 4 min read | 04.02.26

FTC Announces New Health Care Task Force

In a development likely to ramp up regulatory pressure on an industry already under significant federal scrutiny, Federal Trade Commission (FTC) Chairman Andrew Ferguson recently directed leaders across his agency to launch a team dedicated to cooperatively advancing enforcement and advocacy activities relevant to health care....

Client Alert | 4 min read | 04.01.26
Supreme Court Rejects “Mere Knowledge” Standard for Contributory Copyright Infringement in Cox v. Sony, Reverses $1 Billion Judgment Against Cox
Client Alert | 5 min read | 04.01.26
OPO Hospital Waiver Litigation: Trends and Takeaways
Client Alert | 7 min read | 04.01.26
Proposed EU Industrial Accelerator Act Would Introduce New Conditions for Foreign Direct Investments in Strategic Sectors

View All Insights