Utah is the 2nd State to Create a Safe Harbor for Companies Facing Data Breach Litigation
Wednesday, April 7, 2021
cybercrime concept
Print Mail Download i

In mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80) (“the Act”), an amendment to Utah’s data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such a defense.

In short, the Act seeks to incentivize individuals, associations, corporations, and other entities (“persons”) to maintain reasonable safeguards to protect personal information by providing an affirmative defense in litigation flowing from a data breach. More specifically, a person that creates, maintains, and reasonably complies with a written cybersecurity program that is in place at the time of the breach will be able to take advantage of an affirmative defense to certain claims under the Act:

  • A claim alleging that the person failed to implement reasonable information security controls that resulted in the breach of system security.

  • A claim that the person failed to appropriately respond to a breach of system security.

  • A claim that the person failed to appropriately notify an individual whose personal information was compromised in a breach of security.

The written cybersecurity programs must satisfy several requirements to warrant the Act’s protection. In part, such programs must provide administrative, technical, and physical safeguards to protect personal information. These safeguards include:

  • being designed to:

    • protect the security, confidentiality, and integrity of personal information;

    • protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and

    • protect against a breach of system security.

  • reasonably conforming to a recognized cybersecurity framework (see below); and

  • being of an appropriate scale and scope in light of several factors (e.g. size/complexity of the business, the business’s nature/scope, sensitivity of the information protected, etc.)

Reasonably conforming to a recognized cybersecurity framework generally means (i) being designed to protect the type of information involved in the breach of system security, and (ii) either (I) constituting a reasonable security program as described in the Act; (II) reasonably conforming to an enumerated security framework, such as the NIST special publication 800-171 or the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or (III) reasonably complying with the federal or state regulations applicable to the personal information obtained in the breach of system security (e.g., complying with HIPAA when “protected health information” is breached).

A person may not claim an affirmative defense, however, if:

  • The person had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information;

  • The person did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard; and

  • The threat or hazard resulted in the breach of system security.

Utah is the second state to establish an affirmative defense to claims arising from a data breach.  Back in 2018, Ohio enacted the Ohio Data Protection Act (SB 220), similarly providing a safe harbor for businesses implementing and maintaining “reasonable” cybersecurity controls.

This affirmative defense model established by both Utah and Ohio is a win for both companies and consumers, as it incentivizes heightened protection of personal data, while providing a safe harbor from certain claims for companies facing data breach litigation.   It would not be surprising to see other states take a similar approach.  Most recently, the Connecticut General Assembly reviewed HB 6607, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses”, which provides for a similar safe harbor as in Utah and Ohio.  Creating, maintaining, and complying with a robust data protection program is a critical risk management and legal compliance step, and one that might provide protection from litigation following a data breach.

Jackson Lewis P.C. © 2024

Current Legal Analysis

More from Jackson Lewis P.C.

USCIS Issues Employment Authorization Procedures for Palestinians on Deferred Enforced Departure
by: Forrest G. Read IV
OSHA Proposes Expansion of Workplace Protections for Emergency Responders
by: Courtney M. Malveaux , Melanie L. Paul
Ninth Circuit Holds Warehouse Worker Qualifies as Transportation Worker Under FAA Exemption
by: Scott P. Jang
MSHA Issues Long Awaited Final Silica Rule
by: Karl F. Kumli
Labor Commissioner’s FAQ on Fast Food Minimum Wage
by: Laura A. Pierson-Scheinberg , Benjamin A. Tulis
New Study Shows Gen Z LGBTQIA+ Students, Graduates Value, Seek Out Inclusive Workplaces
by: Teresa Burke Wright
DHS Extends, Redesignates Temporary Protected Status for Ethiopia
by: Forrest G. Read IV
Privacy Versus Cyber – What is the Bigger Risk?
by: Joseph J. Lazzarotti
Top Five Labor Law Developments for March 2024
by: Jonathan J. Spitz , Richard F. Vitarelli
How Manufacturers Can Stay Ahead of the Changing Landscape of PFAS Regulations
by: Arthur Cunningham

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins