Cloud Hosting

In mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80) (the Act), an amendment to Utahs data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such a defense.

In short, the Act seeks to incentivize individuals, associations, corporations, and other entities (persons) to maintain reasonable safeguards to protect personal information by providing an affirmative defense in litigation flowing from a data breach. More specifically, a person that creates, maintains, and reasonably complies with a written cybersecurity program that is in place at the time of the breach will be able to take advantage of an affirmative defense to certain claims under the Act:

The written cybersecurity programs must satisfy several requirements to warrant the Acts protection. In part, such programs must provide administrative, technical, and physical safeguards to protect personal information. These safeguards include:

Reasonably conforming to a recognized cybersecurity framework generally means (i) being designed to protect the type of information involved in the breach of system security, and (ii) either (I) constituting a reasonable security program as described in the Act; (II) reasonably conforming to an enumerated security framework, such as the NIST special publication 800-171 or the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or (III) reasonably complying with the federal or state regulations applicable to the personal information obtained in the breach of system security (e.g., complying with HIPAA when protected health information is breached).

A person may not claim an affirmative defense, however, if:

Utah is the second state to establish an affirmative defense to claims arising from a data breach. Back in 2018, Ohio enacted the Ohio Data Protection Act (SB 220), similarly providing a safe harbor for businesses implementing and maintaining reasonable cybersecurity controls.

This affirmative defense model established by both Utah and Ohio is a win for both companies and consumers, as it incentivizes heightened protection of personal data, while providing a safe harbor from certain claims for companies facing data breach litigation. It would not be surprising to see other states take a similar approach. Most recently, the Connecticut General Assembly reviewed HB 6607, An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses, which provides for a similar safe harbor as in Utah and Ohio. Creating, maintaining, and complying with a robust data protection program is a critical risk management and legal compliance step, and one that might provide protection from litigation following a data breach.

Read more:
Utah is the 2nd State to Create a Safe Harbor for Companies Facing Data Breach Litigation - Lexology