Utah Creates Safe Harbor for Companies Facing Data Breach Litigation
Utah Becomes the Second U.S. State to Establish Affirmative Defenses for Security Breach
Motivating organizations to address data privacy can turn out to be a difficult task. Therefore, some states are trying an incentive-based approach.
On March 11th, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80). This Act is an amendment to Utah’s data breach notification law, creating multiple affirmative defenses for individuals facing a cause of action coming from a system security breach, and establishing the requirements for maintaining such a defense.
Image Source: Utah Senate
As a result, Utah became the second state, after Ohio’s Data Protection Act in 2018, to provide a safe harbor for businesses facing data breach litigation and implementing and maintaining reasonable cybersecurity controls.
The Cybersecurity Affirmative Defense Act establishes three affirmative defenses to tort-based claims brought under Utah law in a Utah state court:
- A person that creates, maintains, and reasonably compiles with written industry-recognized cybersecurity regulations that were in place at the time of the breach has an affirmative defense to a claim that the person failed to implement reasonable information security controls that resulted in the breach;
- A person that creates, maintains, and reasonably complies with their program and also had in place protocols for responding to a breach of system security at the time of the breach has an affirmative defense to a claim that the person failed to appropriately respond to a breach of a security system;
- A person that creates, maintains, and reasonably compiles with their program and also had in place protocols for notifying an individual about a breach at the time of the breach has an affirmative defense to a claim that the person failed to appropriately notify an individual whose personal information was compromised in a breach of a security system.
The model established by Utah and Ohio should be a win for both companies and consumers, as it encourages increased personal data protection while providing a safe harbor from certain claims for companies facing data breach litigation. Since tying reasonable cybersecurity practices to the adoption of the recognized frameworks is voluntary, other states will accept this responsibility as well, especially since there are no comparable definitions of reasonable cybersecurity at the federal level.
The Connecticut General Assembly recently reviewed An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses (HB 6607), which provides for a similar safe harbor as in Utah and Ohio.