New State-Level Safe Harbor Statutes Attempt to Curb Data Breach Litigation Risks

It is well known that data breaches and associated litigation are on the rise.  The number of data breach incidents in the United States more than doubled over five years, from 1,278 incidents in 2019 to 3,158 in 2024.  Identity Theft Resource Center, 2024 Data Breach Report 9 (Jan. 2025).  The harm associated with these breaches is increasing as well—in 2024, the average cost of a data breach in the US surged to $10.2 million, its highest ever.  IBM, Cost of a Data Breach Report 2025 (2025). 

One driver of these increased costs is litigation by private plaintiffs in the wake of a data breach.  In 2024 alone, data breach litigation led to a $350 million settlement with Alphabet, the parent company of Google, a $65 million settlement with the hospital network Lehigh Valley Health Network, and a $30 million settlement with the genetic testing service 23andMe.  See In Re Alphabet Inc. Sec. Litig., No. 18-CV-6245 (N.D. Cal. Sept. 30, 2024); Doe v. Lehigh Valley Health Network Inc., No. 23-CV-1149 (Penn. Commw. Ct. Nov. 15, 2024); In Re 23andMe Inc. Customer Data Sec. Breach Litig., Case No. 24-MD-3098 (N.D. Cal. Dec. 4, 2024). 

The increasingly large litigation costs are due in part to a greater willingness by courts to recognize harms like identify theft or identity fraud as adequate injuries to support a lawsuit.  They are also due to new state data privacy legislation.  There are now 19 state-enacted comprehensive data privacy laws, some of which, like California’s, explicitly grant consumer-victims of a data breach a private right of action in certain circumstances.  IAPP, US State Comprehensive Privacy Laws Report (2024). 

Confronted with the increasing costs of data breach litigation, some states have begun implementing safe harbor statutes that shield businesses from liability for data breaches when those businesses haven taken certain affirmative steps to protect their customers’ data before the breach.  These safe harbor laws offer the possibility of substantial protection to organizations that implement reasonable industry-standard cybersecurity measures.  However, their nascent stage and relative diversity across different states will require practitioners to analyze each law’s specific requirements carefully to ensure protection.

Ohio’s 2018 Data Protection Act was the first state data privacy law to include a safe harbor provision, and has served as a model for subsequent state safe harbor laws.  The Act provides an affirmative defense to data breach tort claims to any entity that “create[s], maintain[s], and compl[ies] with a written cybersecurity program” that “reasonably conforms” to one of several recognized industry or government data security frameworks.  See Ohio Rev. Code §§ 1354.01–1354.05.  The entity’s written cybersecurity program must reasonably conform to the current version of certain recognized industry cybersecurity frameworks (or to certain federal data security frameworks if the entity is regulated by the state or federal government), and to any revised version of the entity’s chosen framework within one year.  See id. § 1354.03.  The Ohio legislature anticipated that the Act would “reduce the likelihood that certain plaintiffs file [a data breach] action” and would allow “court[s] . . . to more promptly dispose of [data breach] case[s].”  Ohio Legislative Service Commission, Fiscal Note & Local Impact Statement (September 2018).

Several other states have begun following Ohio’s lead.  Utah’s Cybersecurity Affirmative Defense Act, adopted in 2021, largely tracks the Ohio Data Protection Act, but with some differences that on balance could lead to slightly increased protection for covered entities.  See Utah Code Ann. §§ 78B-4-701 to 78B-4-706.  First, while the Utah safe harbor does not apply if the entity had actual notice of a data breach threat and did not take remedial efforts, id. § 78B-4-702(5)(a), it also, in addition to providing a safe harbor to entities whose cybersecurity protocols reasonably conform to the same industry and government data security frameworks included in Ohio’s Data Protection Act, provides protection to entities who utilize a “reasonable security program” meeting certain requirements.  Id. § 78B-4-703(1)(b)(i) & (2).  This change allows entities that wish to follow their own reasonable cybersecurity frameworks to do so and still receive safe harbor protection.  Finally, whereas Ohio’s safe harbor law requires entities to “comply” with their cybersecurity programs to receive protection, Utah requires only that an entity “reasonably complies” with its program to receive protection.  Id. § 78B-4-702(1).  It is possible that this difference in language between the Ohio and Utah laws could provide broader safe harbor protection to covered entities under Utah’s law.

Connecticut also passed a safe harbor law in 2021, but with significant differences from Ohio’s that make it less protective.  See Conn. Gen. Stat. § 42-901.  First and most importantly, Connecticut’s law only protects entities from liability for punitive damages in an action alleging a failure to implement reasonable cybersecurity controls.  See id. § 42-901(b).  Second, the law provides no safe harbor if the alleged failure to implement cybersecurity controls was the result of “gross negligence or wilful or wanton conduct.”  Id.  Finally, entities are given only six months, rather than one year; to conform to the revised version of their chosen cybersecurity framework.  Id. § 42-901(c).

Iowa’s safe harbor law, passed in 2023, largely follows the Ohio model, but with one key difference.  See Iowa Code §§ 554G.1–554G.4.  Whereas Ohio’s, Utah’s, and Connecticut’s safe harbor laws employ a multi-factor approach to determining the appropriate size and scope of an entity’s cybersecurity program that depends on things like the sensitivity of the covered data and the entity’s size and complexity, see, e.g., Ohio Rev. Code § 1354.02(C), Iowa’s safe harbor law states that an entity may assert an affirmative defense to a data breach action only “if the cost to operate [its] cybersecurity program is no less than the covered entity’s most recently calculated maximum probable loss value,” Iowa Code § 554G.2(c)(3). Thus an entity that expects $5 million in probable losses from a data breach would need to spend at least $5 million on its cybersecurity program to qualify for safe harbor protection under Iowa’s law, in addition to following the same types of requirements common to the other safe harbor laws.  Such a costly requirement is likely to reduce the practical utility of Iowa’s safe harbor law significantly.

Tennessee has taken a more protective approach, establishing a willfulness standard for any data breach class action.  Its 2024 safe harbor law provides simply that a “private entity is not liable in a class action lawsuit resulting from a cybersecurity event unless the cybersecurity event was caused by willful and wanton misconduct or gross negligence on the part of the private entity.”  Tenn. Code § 29-34-215(b).  By limiting businesses’ liability in class action lawsuits to data breaches resulting from gross negligence or willful or wanton misconduct, Tennessee’s safe harbor law is likely the most protective in the nation.

Whether this trend continues remains to be seen.  Just this year, Texas passed a bill providing safe harbor protection for small and mid-sized businesses with fewer than 250 employees.  See 2025 Tex. Sess. Law Serv. Ch. 1029 (S.B. 2610).  But in 2024, the Florida and West Virginia legislatures passed safe harbor laws only to see them vetoed by their respective governors.  See R. DeSantis, Letter to Sec. of State Byrd, June 26, 2024; J. Justice, Letter to Sec. of State Warner, Mar. 27, 2024. 

This patchwork of state safe harbor laws offers some protection to businesses looking for solutions to the ever-increasing wave of data breaches and associated litigation.  As the legislative landscape continues to evolve, one thing is clear:  a proactive approach to data protection and cybersecurity, especially that which conforms to recognized industry and government cybersecurity frameworks, will provide the maximum protection to businesses and other entities in the event of a data breach.