Cyber-attacks are an inevitability that every organization will face in the upcoming years. If found unprepared to deal with a potential data breach or security incident, organizations will face catastrophic consequences including financial repercussions, litigation, loss of business, and reputational damage. Any one of these consequences can sink a business into the ground within months. Focusing on the litigation aspect of cybersecurity, it is important that businesses take the steps to secure themselves and their data, while also protecting themselves from lawsuits in the event a breach occurs. This is where safe harbor laws come into effect.
Texas has become the latest state to pass Safe Harbor law: Effective September 1, 2025, small and mid-sized businesses (SMBs) in Texas with fewer than 250 employees will be granted a safe harbor from exemplary (punitive) damages in the event of a data breach—provided they implement and maintain a recognized cybersecurity framework, such as the CIS Controls.
What are Safe Harbor Laws?
Safe harbor laws have been passed in several states to help protect organizations from facing legal repercussions due to a security incident while also incentivizing these businesses to pursue greater security. These pieces of legislation protect business from litigation if they are found to have implemented a level of "reasonable cybersecurity" through following an approved security framework and having a written cybersecurity plan.
This means that if your business can prove they've implemented necessary security measures, then you are protected from facing privacy lawsuits as a result of a data breach.
Safe harbor laws have only been around for a couple of years with Ohio being the first to enact such legislation in 2018. Several other states have followed in Ohio's footsteps and implemented their own safe harbor laws with only minor changes.
Here is a list of the states that have implemented safe harbor laws:
- Ohio: Data Protection Act (2018)
- Connecticut: Incentivizing the Adoption of Cybersecurity Standards (2021)
- Utah: Cybersecurity Affirmative Defense Act (2021)
- Iowa: Affirmative Defense for Entities Using Cybersecurity Programs (2023)
- Texas: Texas Cyber Command (2025)
In order to meet the requirements of these safe harbor laws, your organization will have to implement an approved cybersecurity framework. These frameworks provide controls and guidelines to help protect against cyber threats and in some cases ensure compliance depending on the industry.
Several of the frameworks that are recognized by these safe harbor laws include: NIST CSF, NIST 800-171, The CIS Controls, FedRAMP, HIPAA, PCI DSS, and more.
Texas Latest State to Adopt Safe Habor Law - Texas Cyber Command
Governor Greg Abbott has enacted Senate Bill 2610, establishing Texas as the latest state to introduce a cybersecurity safe harbor and the sixth to formally define “reasonable cybersecurity” within its legal framework. This legislation encourages businesses to strengthen their cybersecurity posture by providing protection from exemplary (punitive) damages following a data breach, as long as they comply with clearly defined cybersecurity standards.
What Framework Should You Use?
There are a number of recognized frameworks that these safe harbor laws use to quantify "reasonable cybersecurity". Some of them are industry specific (for example HIPAA), while others are broader and applicable to all businesses. Out of all of these, CorpInfoTech recommends The CIS Controls as the go to framework for maximum security coverage.
The CIS Controls are a prescriptive set of cybersecurity controls that address the most common security threats that businesses face today. The Controls are divided into 18 security domains, or "controls", that each contain a number of practical safeguards. These safeguards are then grouped into three "implementation groups" that are divided by "risk size". These controls are technology agnostic and are applicable to any organization regardless of size or industry.
CorpInfoTech is the first managed service provider (MSP) to be accredited under the CIS Controls, we've also implemented the controls into our own services since their inception in 2008. This means that our expertise in implementing the controls in both our own organization as well as our clients' is externally verified and spoken for by the Center for Internet Security (CIS). Our MSP offers IT and cybersecurity solutions that include security/risk assessments, firewall management (xDEFENSE), vulnerability management(v360), managed IT, managed compliance and more, all with the CIS Controls at their center.
To take advantage of the safe harbor laws in your state using the CIS Controls, contact CorpInfoTech today!
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.
