In mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80) (“the Act”), an amendment to Utah’s data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such a defense.
In short, the Act seeks to incentivize individuals, associations, corporations, and other entities (“persons”) to maintain reasonable safeguards to protect personal information by providing an affirmative defense in litigation flowing from a data breach. More specifically, a person that creates, maintains, and reasonably complies with a written cybersecurity program that is in place at the time of the breach will be able to take advantage of an affirmative defense to certain claims under the Act:
- A claim alleging that the person failed to implement reasonable information security controls that resulted in the breach of system security.
- A claim that the person failed to appropriately respond to a breach of system security.
- A claim that the person failed to appropriately notify an individual whose personal information was compromised in a breach of security.
The written cybersecurity programs must satisfy several requirements to warrant the Act’s protection. In part, such programs must provide administrative, technical, and physical safeguards to protect personal information. These safeguards include:
- being designed to:
- protect the security, confidentiality, and integrity of personal information;
- protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and
- protect against a breach of system security.
- reasonably conforming to a recognized cybersecurity framework (see below); and
- being of an appropriate scale and scope in light of several factors (e.g. size/complexity of the business, the business’s nature/scope, sensitivity of the information protected, etc.)
Reasonably conforming to a recognized cybersecurity framework generally means (i) being designed to protect the type of information involved in the breach of system security, and (ii) either (I) constituting a reasonable security program as described in the Act; (II) reasonably conforming to an enumerated security framework, such as the NIST special publication 800-171 or the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or (III) reasonably complying with the federal or state regulations applicable to the personal information obtained in the breach of system security (e.g., complying with HIPAA when “protected health information” is breached).
A person may not claim an affirmative defense, however, if:
- The person had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information;
- The person did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard; and
- The threat or hazard resulted in the breach of system security.
Utah is the second state to establish an affirmative defense to claims arising from a data breach. Back in 2018, Ohio enacted the Ohio Data Protection Act (SB 220), similarly providing a safe harbor for businesses implementing and maintaining “reasonable” cybersecurity controls.
This affirmative defense model established by both Utah and Ohio is a win for both companies and consumers, as it incentivizes heightened protection of personal data, while providing a safe harbor from certain claims for companies facing data breach litigation. It would not be surprising to see other states take a similar approach. Most recently, the Connecticut General Assembly reviewed HB 6607, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses”, which provides for a similar safe harbor as in Utah and Ohio. Creating, maintaining, and complying with a robust data protection program is a critical risk management and legal compliance step, and one that might provide protection from litigation following a data breach.