ARTICLE
17 October 2025

Incident Response Defenses: Can You Take Advantage Of A Cyber Program Safe Harbor?

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore Firm Details
We are in the final quarter of the year, which is typically budgeting and planning for many issues, including -hopefully!- data incident preparedness.
United States Tennessee Technology
Liisa M. Thomas and Kathryn Smith
Your Author LinkedIn Connections
Liisa M. Thomas’s articles from Sheppard Mullin Richter & Hampton are most popular:
  • with readers working within the Media & Information and Securities & Investment industries
Sheppard Mullin Richter & Hampton are most popular:
  • within Energy and Natural Resources topic(s)

We are in the final quarter of the year, which is typically budgeting and planning for many issues, including -hopefully!- data incident preparedness. Is your organization able to take advantage of one of the growing number of states' safe harbor provisions? In particular, Connecticut, Iowa, Ohio, Oklahoma (beginning January 1, 2026), Oregon, – as of September 2025 Texas (for entities with less than 250 employees) – and Utah provide certain affirmative defenses against claims resulting from data breaches. The safe harbor is available if the company has a "qualified" cybersecurity program. What that means varies by state. 3

For Connecticut, Ohio, Utah, and Texas, the program must protect the confidentiality and security of personal information against threats, as well as against unauthorized access or acquisition that could result in material fraud. In Oregon, the business must use "reasonable" security measures. In Iowa, the program must evaluate and protect against risks, annually calculate the probable loss due to a breach, and communicate to impacted parties how they can reduce damages. Additionally, in Texas companies must meet specific operational requirements (like access controls and training) with specifics that depend on the size of the organization.

In Connecticut, Iowa, Ohio, and Utah, businesses can also qualify if they comply with industry-recognized cybersecurity frameworks (such as the NIST's Cybersecurity Framework) or, if applicable, laws like the Gramm-Leach-Bliley Act or HIPAA. Texas, however, makes compliance with one of these programs a requirement for the program.

Finally, Tennessee and Nebraska both provide a safe harbor not based on a company's security program, but instead as long as the incident was not based on a company's willful misconduct or gross negligence.

Putting It Into Practice: Now is a good time to review your current cybersecurity program. Many are planning incident response tabletops, but examining if you qualify for a safe harbor is another good way to look for risk mitigation for the "not if but when" of data incidents.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Kathryn Smith
Kathryn Smith
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More