Texas is the newest state in a growing group to help businesses lower their liability against the inevitable cyber threat landscape. Cybersecurity Safe Harbor Laws are gaining traction across the United States as lawmakers recognize the threat trends: roughly 67% of all organizations worldwide faced a cyberattack in the last 12 months, a steady increase likely to continue through 2026.  

Of them, SMBs tend to make up the majority—46% of cyberattacks target organizations with fewer than 1,000 employees, and 37% of ransomware attacks specifically targeted organizations employing under 100 people. 

What are Cybersecurity Safe Harbor Laws? 

Cybersecurity safe harbor laws are provisions that can shield businesses and organizations, like your law firm, against punitive damages after a breach. They were created to encourage and incentivize organizations to step up their cybersecurity measures and contribute to a culture of cyber safety.  

RIMS, or the Risk Management Society, explains as follows: 

“Cyberbreaches are bound to happen, so understanding and leveraging safe harbor laws can provide an additional layer of protection. These regulatory guidelines can provide an invaluable guide for organizations to confidently enter into new markets across the United States while, simultaneously, building a stronger, more robust cybersecurity defense.” 

In turn for upholding cybersecurity standards in a documented and provable process, law firms and other businesses may be able to reduce their punitive liability if a breach occurs. 

These laws may even make the difference between a business’s untimely end and its continuance—about one in five companies go out of business after a cyberattack due to factors like monetary loss, reduced customer trust, market devaluation, regulatory and compliance woes, and reputational damage.  

Per Quinn Emanuel, “It is well known that data breaches and associated litigation are on the rise.  The number of data breach incidents in the United States more than doubled over five years, from 1,278 incidents in 2019 to 3,158 in 2024.  Identity Theft Resource Center, 2024 Data Breach Report 9 (Jan. 2025).  The harm associated with these breaches is increasing as well—in 2024, the average cost of a data breach in the US surged to $10.2 million, its highest ever.  IBM, Cost of a Data Breach Report 2025 (2025).“ 

For a law firm specifically, depending on its size, the average total cost of a breach can range from $36,000- $5.8 Million (per ExchangeDefender; Embroker). 

How do Cybersecurity Safe Harbor Laws Protect Law Firms? 

First and foremost, implementing the controls and frameworks required to leverage safe harbor laws helps protect your law firm from a cyberattack in the first place. These frameworks are built on foundations of cybersecurity knowledge and best practices, giving law firms like yours a valuable and actionable tool for protecting your people, data, and business.  

In the event that an attack does occur, having proper controls in place can be likened to a series of locked doors—just because a hacker breaks through the first door doesn’t mean they can immediately enter the next. Layers of security measures help mitigate the damage from a successful breach and contain the threat before it becomes calamitous.  

If your law firm becomes victim to an attack, you could be held liable for punitive damages among other consequences. But, these safe harbor laws can provide you with some relief, mitigating the punitive financial damage done to your law firm to lower the total cost of the breach to your business.  

Which states recognize Cybersecurity Safe Harbor Laws in 2025? 

Per Quinn Emanuel, the following states have passed cybersecurity safe harbor laws as of September 2025:  

• Ohio 

• Utah 

• Connecticut 

• Iowa 

• Tennessee 

• Texas 

Florida and West Virginia also passed safe harbor laws, but they were vetoed at the executive level.  

What if my state doesn’t have cybersecurity safe harbor laws? 

More states are expected to attempt to pass safe harbor laws as they grow in popularity—and because it takes time to adhere to the compliance steps, now is the time to prepare in case your state is next on the list.  

Not only will you be prepared and able to prove your proactivity in the event of regulatory or legal issues after a breach, you’ll also be ready to leverage these laws as they become available to you. Plus, your cyber insurance policy likely dictates many of the same controls in order for you to maintain and leverage your coverage—so it’s never a bad idea to check how your firm is doing against these frameworks.  

Even more important is this one simple fact: following trusted cybersecurity frameworks protects your law firm in the first place. A proactive approach is critical in preventing, mitigating, and lowering the impact of cyber incidents as they increase in number and severity across the legal industry.  

How can my law firm qualify for these protections? 

Individual state laws may have specific requirements, but generally speaking, a business like your law firm must be able to prove that they follow a cybersecurity best practices framework -- most likely from a recognized, reputable organization.  

These organizations may include: 

• National Institute of Standards and Technology (NIST) 

• Center for Internet Security (CIS) 

• The American Institute of Certified Public Accountants (AICPA) 

• The Payment Card Industry Security Standards Council (PCI SSC) 

• HIPAA 

• Federal Risk and Authorization Management Program (FedRAMP) 

• International Organization for Standardization (ISO) 

These organizations offer standardized, trusted frameworks for cybersecurity that can help lower the probability of a successful cyberattack or mitigate the impact of a successful attack on your business.  

Though state laws may vary in their discretion, your law firm will likely need to undergo an audit or certification program aligned with these organizations’ frameworks. 

 For example, a company can undergo an independent elective audit of its security controls to receive a certificate of SOC 2 Type II compliance, a framework created and designated by AICPA.  

Another example would be HIPAA compliance: a law firm working in medical malpractice or class action lawsuits is likely already required to undergo HIPAA compliance audits or prove compliance regularly, aligning their security controls to the government’s standards outlined in the Health Insurance Portability and Accountability Act. 

Check your law firm's cyber risk level for free.

At STS, we believe security is the foundation of a thriving business. That’s why we’re offering a free assessment to help support and protect law firms from threats targeting their business and clients.

Our Free Security Vulnerability Scan is an assessment that helps law firms identify the greatest areas of risk in their technology-- all at no cost, with no catch.

Learn what's included

What are cybersecurity “controls”? 

“Controls” are measures taken to guard against cyberthreats and attacks. You may hear this terminology when discussing cybersecurity programs, audits, and frameworks—it's simply a catch-all referring to the systems, solutions, and actions that strengthen your cybersecurity posture.  

A few common examples of cybersecurity controls include: 

• Multi-factor authentication 

• Firewalls  

• Email screening and spam filters 

• Access management  

• Phishing training  

• Cloud security solutions  

There are many important controls to consider; depending on the framework your law firm chooses to adhere to, you may find specific requirements that focus on protecting your devices, your network, your data, your people, and more.  

Who conducts cybersecurity framework audits? 

Depending on the type of audit your law firm may seek and its organization’s requirements, you may be able to work with an independent auditor. A third party, like an IT Managed Services Provider (MSP) or another cybersecurity service provider, can audit your controls and provide recommendations for improving your security posture.  
 

Does my law firm really need a full cybersecurity audit? 

Even if a full, formal audit is not required by your particular state, it’s always recommended for your law firm’s utmost safety and for the best possible proof of framework integration. At the very least, you will likely need to engage a partner with cybersecurity expertise to provide proof of controls—things like security patch logs, hardware updates, documented response plans, and more.  

Qualifying a vendor: Be warned!  

When choosing an auditor, you should be aware that not all vendors are alike. Your law firm should carefully consider your options—is your preferred or existing vendor truly qualified to perform your audit?  

Here are some questions to ask as you seek to qualify a vendor to audit your law firm: 

• Does this vendor hold our desired certification/compliance or a similar certification themselves? 

• What cybersecurity credentials and expertise does this vendor have?  

• Can this vendor provide documentation of their own security controls?  

• If we’ve worked with this vendor before, do we find them to be proactive and communicative enough to provide this service?  

• Will this vendor be able to follow up proactively to help us maintain our compliance?  

You should know that as of today, no Managed Services Provider or other IT partner is required to adhere to a specific cybersecurity certification or framework. Few elect to go through rigorous auditing processes, as it is not legally required. 

But, the very best way to ensure you’re in good hands throughout the compliance and auditing process is to find a vendor who has done the same process themselves. 

Cybersecurity Maturity Program for Law Firms

A cybersecurity program designed specifically for law firms. Built on trusted frameworks, applied for practical legal industry use. 

Learn more

The Final Word: Cybersecurity safe harbor laws can protect your law firm. 

The digital world is rife with risk for law firms. Hackers specifically target your industry due to the high amount of sensitive data you host and process, and because the often outdated technology and low-barrier cybersecurity controls many law firms have today simply can’t contain a threat. It’s easy and profitable for hackers to attack your law firm—why wouldn’t they try it? 

Your cybersecurity controls are the number one line of defense between hackers and your law firm. Clients, team members, and the overall business rely on these protections. If you don’t yet have them in place, you may face severe financial penalties—and insurance companies are increasingly denying coverage to businesses who are not proactive with their cybersecurity controls.  

As a SOC 2 Type II certified Managed Services Provider working exclusively with law firms, Strategic Technology Solutions has the firsthand experience of undergoing a rigorous compliance audit and building a robust, effective cybersecurity posture that adheres to  the AICPA framework.  

In order to help you provide the same protections to your team, clients, and business, we’ve designed our  Cybersecurity Maturity Program based around trusted CIS and NIST controls. The program is carried out by our proactive cybersecurity experts with the experience to know exactly what your law firm needs to leverage cybersecurity safe harbor laws. 

Here’s How to Start Today 

Whether you’re starting from scratch or looking to tune up your cybersecurity controls, we’re here to help your law firm. The legal industry is our sole focus, and we’re a trusted partner to hundreds of legal industry professionals.  

Click here to get in touch today, or download our free Cybersecurity Essentials for Law Firms guide to see how your firm’s security controls stack up against threats.