December 1, 2021

Volume XI, Number 335

Advertisement
Advertisement

December 01, 2021

Subscribe to Latest Legal News and Analysis

November 30, 2021

Subscribe to Latest Legal News and Analysis

November 29, 2021

Subscribe to Latest Legal News and Analysis

Utah is the 2nd State to Create a Safe Harbor for Companies Facing Data Breach Litigation

In mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80) (“the Act”), an amendment to Utah’s data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such a defense.

In short, the Act seeks to incentivize individuals, associations, corporations, and other entities (“persons”) to maintain reasonable safeguards to protect personal information by providing an affirmative defense in litigation flowing from a data breach. More specifically, a person that creates, maintains, and reasonably complies with a written cybersecurity program that is in place at the time of the breach will be able to take advantage of an affirmative defense to certain claims under the Act:

  • A claim alleging that the person failed to implement reasonable information security controls that resulted in the breach of system security.

  • A claim that the person failed to appropriately respond to a breach of system security.

  • A claim that the person failed to appropriately notify an individual whose personal information was compromised in a breach of security.

The written cybersecurity programs must satisfy several requirements to warrant the Act’s protection. In part, such programs must provide administrative, technical, and physical safeguards to protect personal information. These safeguards include:

  • being designed to:

    • protect the security, confidentiality, and integrity of personal information;

    • protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and

    • protect against a breach of system security.

  • reasonably conforming to a recognized cybersecurity framework (see below); and

  • being of an appropriate scale and scope in light of several factors (e.g. size/complexity of the business, the business’s nature/scope, sensitivity of the information protected, etc.)

Reasonably conforming to a recognized cybersecurity framework generally means (i) being designed to protect the type of information involved in the breach of system security, and (ii) either (I) constituting a reasonable security program as described in the Act; (II) reasonably conforming to an enumerated security framework, such as the NIST special publication 800-171 or the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or (III) reasonably complying with the federal or state regulations applicable to the personal information obtained in the breach of system security (e.g., complying with HIPAA when “protected health information” is breached).

A person may not claim an affirmative defense, however, if:

  • The person had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information;

  • The person did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard; and

  • The threat or hazard resulted in the breach of system security.

Utah is the second state to establish an affirmative defense to claims arising from a data breach.  Back in 2018, Ohio enacted the Ohio Data Protection Act (SB 220), similarly providing a safe harbor for businesses implementing and maintaining “reasonable” cybersecurity controls.

This affirmative defense model established by both Utah and Ohio is a win for both companies and consumers, as it incentivizes heightened protection of personal data, while providing a safe harbor from certain claims for companies facing data breach litigation.   It would not be surprising to see other states take a similar approach.  Most recently, the Connecticut General Assembly reviewed HB 6607, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses”, which provides for a similar safe harbor as in Utah and Ohio.  Creating, maintaining, and complying with a robust data protection program is a critical risk management and legal compliance step, and one that might provide protection from litigation following a data breach.

Jackson Lewis P.C. © 2021National Law Review, Volume XI, Number 97
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Jason C. Gavejian, Employment Attorney, Jackson Lewis, Principal, Restrictive Covenants Lawyer
Principal

Jason C. Gavejian is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. and a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

Mr. Gavejian represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination and wage and hour claims in both federal and state courts. Additionally, Mr. Gavejian regularly appears before administrative agencies,...

(973) 538-6890
Attorney

Maya Atrakchi is the Knowledge Management (“KM”) Attorney for Jackson Lewis P.C.’s Privacy, e-Communication and Data Security and International Employment Issues Practice Groups, and is based in the New York City, New York, office of Jackson Lewis P.C.

212-545-4000
Advertisement
Advertisement
Advertisement