WALENTINE O’TOOLE, LLP When time is of the essence, experience counts. Walentine O’Toole blends confidence, experience and knowledge with the personal attention you can expect from a regional law firm. www.walentineotoole.com 402.330.6300 11240 Davenport St. • Omaha, NE 68154-0125 • Ohio: Data Protection Act of 2018 (SB 220). • Utah: Cybersecurity Affirmative Defense Act (HB 80). • Federal Law: HIPAA Safe Harbor Act (HR 7898). A second category of safe harbor statutes require proof of more than just negligence. These statutes do not require adherence to a cybersecurity standard, just raise the bar to prove such a case. Statutes in this category are: • Nebraska: Proposed LB 241. • Tennessee: Tennessee Information Protection Act (TIPA) (HB 1181). Finally, one state passed a safe harbor law that only applies to hospitals: • Oklahoma: Hospital Cybersecurity Protection Act of 2023 (HB 2790). Most of the safe-harbor laws allow for an affirmative defense. The plaintiff attorneys, however, are filing their claims seeking a fast settlement before a defense can even be asserted. The settlements are being offered by the plaintiffs’ attorneys almost immediately after the action is filed. In one recent case, the suit was filed and a settlement was proposed and agreed to within weeks. Which negates the benefit of having an affirmative defense. Regarding the current Nebraska bill and Tennessee law, plaintiffs’ attorneys will most likely add allegations of gross negligence to the pleading which will ultimately still require organizing and providing a defense to prove otherwise. Criticisms and Limitations Despite their benefits, safe harbor statutes face criticism and challenges. Some argue that these statutes may provide undue protection to companies, allowing them to avoid accountability for data breaches. Others contend that the standards required for compliance may be too stringent or costly for smaller businesses to implement. While safe harbor statutes offer protection, they are not absolute. Companies may still be held liable in cases of willful, wanton or gross negligence, as noted in the Nebraska bill. Additionally, businesses must continuously update their security practices to keep pace with evolving threats, as failure to do so could void their safe harbor protection. Continued from page 18 Conclusion Data breach safe harbor statutes represent a crucial step in addressing the growing threat of cyber breaches and the resulting legal repercussions. By offering liability protection to companies that adhere to recognized cybersecurity standards, these statutes promote a culture of proactive security and help mitigate the financial and reputational risks associated with data breaches. As more states consider and adopt such legislation, it is essential to strike a balance between providing protection for businesses and ensuring accountability for safeguarding sensitive information. 1. https://www.duanemorris.com/pressreleases/duane_morris_llp_publishes_its_ data_breach_class_action_review_2025_0225.html 2. https://en.wikipedia.org/wiki/Zero-day_vulnerability 3. https://nvd.nist.gov/vuln/search/ 4. https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false&resul ts_type=overview&hyperlink_types=CISA+Known+Exploited+Vulnerabilities&fo rm_type=Basic&search_type=last3months 20 NEBRASKA BANKER
RkJQdWJsaXNoZXIy MTg3NDExNQ==