You've successfully subscribed to INFIMA Security
Great! Next, complete checkout for full access to INFIMA Security
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Cyber Safe Harbors

Great news on Affirmative Defenses for those in Utah, Ohio and Connecticut. Awesome! But how?

Getting hit with a cyber attack is awful.

With most attacks including both ransomware and data exfiltration (i.e. grabbing all the data), there's a double whammy right from the start.

The news can get worse when the attorneys start calling. Post-breach, organizations are finding they may have legal liability.

Now I'm just sounding pretty negative, so let's flip this post back to something positive...

So far, three states have passed Cybersecurity "Safe Harbor" laws to provide guidance on affirmative defenses to avoid that third gut punch of legal liability. (As always, this is NOT legal advice - it should come as no surprise that we're not attorneys here.)

Those states are: Ohio, Utah and Connecticut.

Good news: the requirements are understandable and clear.

We'll give some highlights of each below, and you'll notice the overlap amongst each state's rules:


Ohio is the OG in this one - their law dates back to 2018.

Where do we start?

  • Develop a written cybersecurity program that conforms to an “industry recognized cybersecurity framework” (more on that later)
  • Maintain compliance with that program

What does my program need to do?

  • protect the security and confidentiality of restricted or personal information
  • prevent “anticipated threats or hazards to the security or integrity” of that information
  • secure any access to sensitive information and prevent unauthorized acquisition

Adequately following Ohio's Section 1354.02 grants organizations "an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state..."


Next up is Utah, which passed the Cybersecurity Affirmative Defense Act (H.B. 80) in March of 2021:

Where do we start?

  • Create and maintain a written cybersecurity program that follows an established cybersecurity framework (again, more on that later)
  • Ensure the program is live at the time of any attack in question

What does my program need to do?

  • protect the “security, confidentiality, and integrity of personal information”
  • protect against any anticipated threat or loss or that information
  • protect against a breach of system security

Utah also states that the program should take into account things like:

  • the size and complexity of the organization
  • the “nature and scope” of the organization’s activities
  • the sensitivity of the information under protection
  • the availability and cost of security tools


And let's move on to Connecticut, who names its laws ever so effectively like - "An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses". I mean, I'm no lawyer (remember that disclaimer above), but it seems they could do a little better there.... Ok, on to the rules:

Where do we start (don't gasp)?

  • Create and maintain a written cybersecurity program that follows an established cybersecurity framework (and again, more on that at the end)
  • Ensure that program is updated as the identified framework changes

And from there, Connecticut makes it easy - they simply highlight the qualifying regulations to allow organizations to stand on this affirmative defense.

Which Regs?

Ok, let's put a bow on this thing.

You've noticed that each one of these states requires compliance with a written cybersecurity program. That program must follow an established and accepted regulation or framework.

So now what are some of the conforming regulations and frameworks?

All of these require work to accomplish, but compliance with these standards provides an excellent security foundation.

As you might have suspected, INFIMA provides its Partners with Security Awareness Training Policies, built for each client.

And hey, if you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!

Disclaimer: we're not attorneys, never want to be attorneys, and shouldn't be relied on as providing legal advice!

Joel Cahill

Cybersecurity enthusiast. Entrepreneur.