March 28, 2023

Volume XIII, Number 87


March 27, 2023

Subscribe to Latest Legal News and Analysis

Utah Creates Data Breach Safe Harbor

Utah recently amended its breach notice law to provide certain defenses to companies who suffer a data breach.  It is now the second state, after Ohio, to include such provisions. Specifically, entities that create and reasonably comply with a written cybersecurity program may have an affirmative defense to litigation resulting after a data breach. For the safe harbor to apply, the written cybersecurity program must:

  • be designed to protect against the security, confidentiality and integrity of personal information and anticipated threats and hazards;

  • reasonably conform to a recognized cybersecurity framework like NIST 800-171 or 800-53, ISO 27000, PCI DSS, and federal laws such as HIPAA and GLBA (among others); and

  • be appropriate to the “scale and scope” of the company, the information it collects, the activities in which it engages, and its resources and tools available.

Even if a written cybersecurity program is in place, there are certain exceptions. For example, if the entity had actual notice of a threat to the security of the personal information. Or, if it did not act in a reasonable amount of time to take known remedial efforts to protect the personal information.

Putting it into PracticeThe Utah and Ohio laws provide incentives for companies to protect information in light of the safe harbor from certain litigation claims after a data breach. As a reminder, beyond these laws, many states require a written cybersecurity program as part of their data security laws.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 102

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...