Introduction
In an increasingly digital world, businesses face the constant threat of cyber breaches that jeopardize the security of personally identifiable information (PII) and protected healthcare information (PHI). As a response to this growing concern, several states in the U.S. have introduced or passed data breach safe harbor statutes to provide some level of protection for companies from class action lawsuits resulting from these breaches.
The Nebraska Legislature recently introduced a bill (LB 241) to provide protection from liability for cyber breaches in which PII or PHI were breached. The bill provides protection for a private entity from liability “unless the cybersecurity event was caused by willful, wanton or gross negligence on the part of the private entity.”
The bill is one of several such bills which have either been passed or are under consideration by several states.
Impetus for the Bill
The increases in data breach class actions, ease of filing and rising settlements are just some of the motivations for this legislation. In 2017 the number of data breach class actions was under 200, while for the year 2024, the number of class actions filed were just short of 1500.¹ Each data breach notification brings a number of class actions, especially for large data breaches. A company facing notification requirements can expect a suit shortly after the letters are mailed.
Data breaches are unique in that companies must disclose an event which may lead to a lawsuit. Adding to the issue, many state Attorneys General publish data breach notifications on their website. It is an easy task for a plaintiff’s attorney to find a notice, find a victim and then file complaint using a template from a prior class action. The ease of the process is inviting even more attorneys to this practice.
This rise in the number of class action cases has also led to a rise in the amount the plaintiffs’ attorneys are demanding to settle the suits. Some of the bigger settlements are well known and published, such as:
- Meta — $1.3 billion.
- Didi Global — $1.19 billion.
- Amazon — $877 million.
It is troubling that foreign threat actors/hackers are able to wreak havoc on private entities and there is little the company can do about it after the fact. Then, to add insult to injury, plaintiff’s attorneys attempt to collect fees on behalf of affected individuals in class actions; but, the vast majority of the money is collected by the attorneys and very little, if any, actually inures to the benefit of the victims. A couple of examples are as follows:
- In re Wright & Filippis LLC Data Security Breach Litigation class action settlement:
- The attorneys received a percentage of a $2.9 million settlement.
- The victims received credit monitoring worth an estimated $30 each.
- Crumpton v. Octapharma Plasma Inc. Class Action settlement:
- The attorneys received a percentage of a $9.9 million settlement.
- The victims received approximately $400 to $800 based on submitted claims.
Zero-Day Events
Threat actors are able to attack at will because of zero-day vulnerabilities. Protecting networks and information is hard, and zero-day events make security even harder. Zero-day events are vulnerabilities which are previously unknown or which have no patch available.² These are often exploited by foreign threat actors. Threat actors often scan networks and catalog exposed networks and applications. When a zero-day vulnerability is published then, it is very quick and simple for the threat actor to search their database, find a vulnerable company and exploit the vulnerability.
Over the past several years, the number of zero-days tracked by the National Institute for Standards and Technology (NIST) has skyrocketed:³
NIST Statistics on Common Vulnerability and Exposures (CVE)
Year
2019
2020
2021
2022
2023
2024
Number of CVEs
17305
18349
20155
25043
28817
39999
A few years ago, NIST began tracking the number of CVE which are exploited. In the past three months alone the number of exploited vulnerabilities has been 33, of which nine are critical.⁴ Which means, there are exploited zero-days which even the most efficient, competent and proactive information technology staff cannot control.
Current Statutes
Safe harbor statutes come in two variations. The first variation provides an affirmative defense for entities who adhere to specific cybersecurity frameworks or standards to qualify for liability protection. These frameworks may include the NIST Cybersecurity Framework, the Center for Internet Security (CIS) Controls, or the International Organization for Standardization (ISO) standards.
The primary goal is to reduce the financial and reputational risks associated with data breaches while promoting higher standards of data protection. The current statutes in the first category include:
- Connecticut: An Act incentivizing the adoption of cybersecurity standards for businesses (HB 6607).
- Iowa: An Act relating to affirmative defenses for entities using cybersecurity programs (HB 553).
- Florida (Proposed HB 473).
- Ohio: Data Protection Act of 2018 (SB 220).
- Utah: Cybersecurity Affirmative Defense Act (HB 80).
- Federal Law: HIPAA Safe Harbor Act (HR 7898).
A second category of safe harbor statutes require proof of more than just negligence. These statutes do not require adherence to a cybersecurity standard, just raise the bar to prove such a case. Statutes in this category are:
- Nebraska: Proposed LB 241.
- Tennessee: Tennessee Information Protection Act (TIPA) (HB 1181).
Finally, one state passed a safe harbor law that only applies to hospitals:
- Oklahoma: Hospital Cybersecurity Protection Act of 2023 (HB 2790).
Most of the safe-harbor laws allow for an affirmative defense. The plaintiff attorneys, however, are filing their claims seeking a fast settlement before a defense can even be asserted. The settlements are being offered by the plaintiffs’ attorneys almost immediately after the action is filed. In one recent case, the suit was filed and a settlement was proposed and agreed to within weeks. Which negates the benefit of having an affirmative defense.
Regarding the current Nebraska bill and Tennessee law, plaintiffs’ attorneys will most likely add allegations of gross negligence to the pleading which will ultimately still require organizing and providing a defense to prove otherwise.
Criticisms and Limitations
Despite their benefits, safe harbor statutes face criticism and challenges. Some argue that these statutes may provide undue protection to companies, allowing them to avoid accountability for data breaches. Others contend that the standards required for compliance may be too stringent or costly for smaller businesses to implement.
While safe harbor statutes offer protection, they are not absolute. Companies may still be held liable in cases of willful, wanton or gross negligence, as noted in the Nebraska bill. Additionally, businesses must continuously update their security practices to keep pace with evolving threats, as failure to do so could void their safe harbor protection.
Conclusion
Data breach safe harbor statutes represent a crucial step in addressing the growing threat of cyber breaches and the resulting legal repercussions. By offering liability protection to companies that adhere to recognized cybersecurity standards, these statutes promote a culture of proactive security and help mitigate the financial and reputational risks associated with data breaches. As more states consider and adopt such legislation, it is essential to strike a balance between providing protection for businesses and ensuring accountability for safeguarding sensitive information.
- https://www.duanemorris.com/pressreleases/duane_morris_llp_publishes_its_data_breach_class_
action_review_2025_0225.html - https://en.wikipedia.org/wiki/Zero-day_vulnerability
- https://nvd.nist.gov/vuln/search/
- https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false&results_type=overview&hyperlink_types=CISA+Known+Exploited+
Vulnerabilities&form_type=Basic&search_type=last3months