Keeping Up With the Cyber Laws – Ep 518 

Think cybersecurity laws are just for the big guys? Think again. In this episode, we unravel the patchwork of new state regulations popping up faster than a phishing scam in your inbox—Ohio, Utah, Texas, Florida, and even Iowa are throwing their hats into the compliance ring. From safe harbor perks to tiered requirements for small businesses (yes, Texas made a flowchart-worthy version), we decode what these laws mean, who they apply to, and why HIPAA entities seem to always get the “you’re fine, probably” treatment. Bonus: there’s a federal bill in Congress that might actually help. Maybe.

In this episode:

Keeping Up With the Cyber Laws – Ep 518

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Keeping Up With the Cyber Laws

Some legal stuff to cover but first some learning from what happened to others.

Clean up those password pictures!

This spyware is stealing photos on iPhone and Android — protect yourself now | Tom’s Guide

Why your business’ Social Media account must be secured.

A New Orleans restaurant owner’s Facebook was hacked. It put her business in jeopardy | WWNO

Wow, got her twice!

“Small businesses are the perfect target for bad, malicious cyber actors because they generally have worse security,” Adam McCloskey, the director of the Louisiana Small Business Development Center at Louisiana State University. “Cyber attacks are one of the top threats that small businesses face.”

State Cybersecurity Safe Harbor Laws — 2025 Roundup

Some legalese telling us to get on board with cybersecurity – state list is growing. Especially for small businesses!

🟢 Ohio

Law: Ohio Rev. Code §1354 (2018)

Name: Ohio Data Protection Act

• 🔐 What’s Required: Written cybersecurity program aligned with frameworks like:
  • NIST CSF or SP 800-53
  • ISO/IEC 27001
  • CIS Controls
• 🛡️ What’s Protected:
  • Affirmative defense against tort claims (e.g., negligence) after a data breach
  • HIPAA/GLBA entities are excluded — already presumed covered

🟢 Utah

Law: Utah Cybersecurity Affirmative Defense Act (2021)

Citations: Utah Code §§78B-4-701 to 703

• 🔐 What’s Required:
  • A written cybersecurity program
  • Aligned with NIST, CIS, or similar recognized frameworks
• 🛡️ What’s Protected:
  • Three affirmative defenses: failure to implement, failure to respond, and failure to notify
  • Applies only to tort claims, not regulatory actions
  • HIPAA/GLBA entities are excluded

🟢 Connecticut

Law: Public Act No. 21-119 (2021)

Name: An Act Incentivizing the Adoption of Cybersecurity Standards

• 🔐 What’s Required:
  • Cybersecurity program aligning with:
    • NIST CSF or 800-171
    • ISO 27001
    • CIS Controls
    • HIPAA, GLBA, or other sector-specific standards
• 🛡️ What’s Protected:
  • Protection from punitive damages in civil lawsuits
  • HIPAA and GLBA-covered entities are explicitly included as compliant if following federal law

🟢 Oklahoma

Law: Oklahoma Computer Security Incident Liability Protection Act (2022)

• 🔐 What’s Required:
• Implemented and maintained cybersecurity program aligned with recognized frameworks
• 🛡️ What’s Protected:
  • Affirmative defense in lawsuits stemming from a security incident
  • HIPAA and GLBA entities are excluded from the law

🟢 Florida

Law: Cybersecurity Liability Protection Act (2025)

Effective: May 2025

• 🔐 What’s Required:
  • Written cybersecurity program based on:
    • NIST CSF
    • ISO/IEC 27001
    • FedRAMP
    • CIS Controls
• 🛡️ What’s Protected:
  • Affirmative defense against claims for failure to protect personal data
  • HIPAA/GLBA entities are excluded

🟢 Iowa

Law: Iowa Consumer Data Protection Act (SF 262)

Effective: July 1, 2025

• 🔐 What’s Required:
  • Maintain “reasonable” administrative, technical, and physical security practices
  • Frameworks are not explicitly required — more flexible language
• 🛡️ What’s Protected:
  • No explicit safe harbor affirmative defense, but data security is built into liability considerations
  • HIPAA/GLBA entities are excluded

🟢 Texas

Law: SB 2610 (2025)

Effective: July 1, 2026

• 🔐 What’s Required for Safe Harbor:
  • Must have a cybersecurity program tailored to org size
  • AND meet thresholds:
    • < 250 employees
    • < 100K consumers
    • < 50% revenue from data sales
  • Use frameworks like NIST, ISO, CIS, etc.
• 🛡️ What’s Protected:
  • Only exempts business from exemplary (punitive) damages
  • Larger businesses not eligible for this protection
  • HIPAA-covered entities are excluded from the law

Maybe they are going to take HSCC up on the idea to collaborate with govt on HIPAA Security

Text – H.R.3841 – 119th Congress (2025-2026): Healthcare Cybersecurity Act of 2025

S.1851 – 119th Congress (2025-2026): Healthcare Cybersecurity Act of 2025

Public-Private Partnership

Bill says:

• Establishes a formal collaboration between HHS and CISA to support healthcare cybersecurity.
• Calls for joint assessment, training programs, and strategy development.

HSCC published guidance:

• Repeatedly emphasizes the need for federal collaboration with industry, not regulation on industry.
• 405(d) materials like Health Industry Cybersecurity Practices (HICP) and their implementation guides are built on this partnership model.

🔗 Alignment: Direct — this is the bill institutionalizing what HSCC has been doing voluntarily.

Risk-Based, Scalable Cybersecurity for Small/Medium Providers

Bill says:

• Directs creation of training and educational resources tailored to small/medium healthcare providers.

HSCC work includes:

• HICP (Health Industry Cybersecurity Practices) with versions tailored for small, medium, and large organizations.
• HHS 405(d) Task Group materials emphasize scalable implementation — not one-size-fits-all.

🔗 Alignment: Spot on — the bill operationalizes the 405(d) message that rural clinics shouldn’t be expected to act like Fortune 500 hospitals.

Improved Threat Information Sharing

Bill says:

• Expands the ability of HHS and CISA to share threat intelligence with healthcare orgs in real-time and in usable formats.

HSCC initiatives:

• Their work with H-ISAC and Sector Coordinating Council calls for better public-private intel pipelines.
• Repeated concerns in HSCC reports about lack of actionable threat intelligence reaching providers in time.

🔗 Alignment: Solid — especially around calls to make threat sharing simpler, faster, and accessible for smaller orgs.

Formal Vulnerability Reporting and Sector-Wide Assessments

Bill says:

• Requires HHS and CISA to produce a joint report on sector cybersecurity vulnerabilities and recommendations.

HSCC/405(d) asks:

• Annual or routine sector risk assessments and status reports are a core recommendation.
• Past publications (e.g., “Health Industry Cybersecurity Tactical Crisis Response” and HICP) ask for data to inform risk models and tailor funding/support.

🔗 Alignment: Strong — this is the first step toward the kind of feedback loop HSCC wants to see from feds to the field.

At the end of the cyber day, the message is simple: ignorance isn’t bliss—it’s expensive. With states rolling out their own flavors of cybersecurity accountability and Congress peeking over the legislative fence, small businesses can no longer afford to play the “but we’re too small to hack” card. Grab a framework, lock down your systems, and for the love of your budget, stop pretending compliance is optional. Future you (and your legal team) will thank you.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.