What Are Data Breach Safe Harbor Laws? Top Security Benefits for SMBs

Who is the biggest loser in cybercrime? In most cases, it's the victim - the business that was exploited. Cybercrime is a multi-trillion-dollar industry that's growing year by year. No aspect of daily life is immune. Hospitals and universities are being held hostage with ransomware, confidential information is being exploited through technical vulnerabilities, and user identities (username and password) are being compromised in phishing attacks. It is nearly impossible to function today without the internet. Because of this, cybercriminals are thriving, costing businesses billions of dollars per year.

A Comprehensive Business Guide to Data Breach Safe Harbor Laws for SMBs:


What Are Safe Harbor Laws?

Businesses are always responsible for the cost of recovery, whether they're paying in full, or using cybersecurity insurance to absorb some of the costs. But according to Cisco, 68% of businesses do not have cyber insurance or a recovery plan. This can lead to a prohibitively expensive recovery, forcing bankruptcy or closure. As such, states are starting to enact Safe Harbor laws that minimize damages resulting from data breaches. Ohio was the first state to establish a data breach Safe Harbor framework, followed by Utah, and soon-to-be joined by Connecticut.

Safe Harbor laws are often tied to existing IT Governance frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, Center for Internet Security (CIS) 20, etc. However, just like cybersecurity insurance, Safe Harbor laws require businesses to follow security best practices in order to be eligible. The last thing a business owner wants to hear is that they "failed to maintain" security standards when filing a claim.

Meeting Cyber Insurance Standards

According to a Keeper Security survey, most SMBs (500 employees or fewer) lack dedicated cybersecurity staff or an incident response plan. The same survey pointed out other challenges including a lack of clear security priorities, implementation timelines, stakeholders, and project leaders. Without a clear plan, a commitment to cybersecurity, and oversight, your business may "fail to maintain" the standards necessary to benefit from Safe Harbor laws or cybersecurity insurance. Remember:

  • Safe Harbor laws can minimize damages under lawsuits related to data breaches.
  • Cyber insurance can help businesses reduce the recovery cost of a cyber event.
  • Both Safe Harbor laws and cyber insurance require businesses follow security best practices.
  • Adopting a framework such as CIS or NIST can help align current security efforts with best practices.


The first step towards eligibility is to hire a dedicated security professional. For companies that are unable to do so, consider partnering with a managed services provider that can outsource security professionals. When assessing a security expert, check their certifications. Common certifications include CISSP, CCSP, CISA, etc. These certifications reflect and add credibility to both the individual and your organization. Your security professional should also recognize opportunities to engage with departments and individuals across your company. The best security professionals are those who can apply their expertise in creative and interactive ways, whether they're supporting employee training programs, or collaborating with the Marketing department to create dynamic security content.

Next Steps for Securing Your Business

  • Get "C" level buy-in for your security program; this will positively impact company operations and culture.

  • Create a budget for security initiatives. It should be about 15-20% of your annual IT spend (excluding salaries). If you're starting from the beginning, the first few years will require additional funding.

  • Hire a credentialed security professional or service provider.

  • Adopt a framework that will align with your business. Regardless of the one you choose, map it to other frameworks for broad alignment.


For more information about cyber insurance and Safe Harbor laws, reach out to iCorps for a free IT consultation.

Request a Free IT Consultation