Connecticut joins states offering businesses a “Safe Harbor” against data breach lawsuits


By: Barry Miller

Connecticut has become the third state to pass a “Safe Harbor” statute offering protection to businesses who face civil lawsuits based on data breaches. 

The Connecticut statute, which took effect in October, encourages businesses to adopt one of six cybersecurity frameworks, including three standards published by the National Institute of Standards and Technology (NIST). It also protects businesses already regulated by federal data statutes or regulations if the companies’ cybersecurity plan conforms with the requirements of those statutes. 

Ohio was the first to pass such a statute in 2018. Ohio Revised Code 1354.01 through 1354.05 also protects entities that adopt an approved framework, or who have a cybersecurity plan conforming with certain federal statutes or regulations. Under section 1354.02(D), entities that conform to an approved standard may raise an affirmative defense in any tort claim based on a data breach that they acted reasonably to protect electronic information.  

In March, Utah enacted the Cybersecurity Affirmative Defense Act, which gives the same protection.  

Unlike its predecessors, Connecticut does not affect tort claims for actual damages. It does, however, prohibit courts from assessing punitive damages against entities who create, maintain, and comply with a recognized cybersecurity framework.  

More states will consider safe harbor statutes that encourage businesses to adopt written cybersecurity plans. As the trend continues, business owners should assess the risk that data breach claims present and consider managing that risk by implementing a compliant and up-to-date cybersecurity plan. Contact any of the attorney’s in Freeman Mathis & Gary’s Data Security, Privacy & Technology practice group for help in leading this change or contact Barry Miller at