Right now, only a handful of states have cyber safe-harbor laws:
- Ohio (2018 – SB 220 - Data Protection Act)
- Utah (2021 – HB 80 - Cybersecurity Affirmative Defense Act)
- Connecticut (2021 – PA 21-119 - Cybersecurity Standards Act)
- Texas (2025 – SB 2610)
Different states, different dates - but the skeleton is the same:
- It’s voluntary, not mandated.
- Your Workbook is mapped to industry frameworks (NIST CSF, CIS Controls, ISO/IEC 27001). We’ll use plain English so you don’t need to be a technician to understand them.
- It only kicks in after a breach, as your affirmative defense in court.
Safe harbor isn’t a free pass. But it’s a powerful shield if you can show your work.