A Connecticut court recently determined that the Health Insurance Portability and Accountability Act privacy rule, 42 U.S.C. § 1320d-6, and its implementing regulations “may be utilized to inform the standard of care applicable to . . . claims arising from allegations of negligence in the disclosure of patient’s medical records pursuant to a subpoena.” Byrne v. Avery Ctr. for Obstetrics & Gynecology, 2014 WL 5507439, at *8 (Conn. Nov. 11, 2014). In other words, the court determined that federal health care information privacy standards may be used to define the applicable standard of care against which the defendant company will be judged when defending a state law tort claim. Byrne is limited to tort claims based on health care information in Connecticut. Nonetheless, proactive energy pipeline compliance professionals should be mindful of what the decision more broadly may signal—namely, an attempted coalescence, by plaintiffs, of otherwise inapplicable or voluntary legal standards and best practices into an applicable standard of care against which a company’s cybersecurity practices may be judged.