Keypoint: New Utah law creates incentive for businesses to develop and implement a written cybersecurity program to protect themselves against data breach lawsuits.

On March 11, 2021, Utah governor Spencer Cox signed the Cybersecurity Affirmative Defense Act, which creates affirmative defenses to certain causes of action arising out of a breach of system security.

The Act provides three affirmative defenses. If a “person” (broadly defined to include individuals and most business organizations but not government agencies or departments) creates, maintains, and reasonably complies with a written cybersecurity program that meets certain requirements and that program is in place at the time of a breach of that person’s system security, the person has a defense to an action claiming that it failed to implement reasonable information security controls that resulted in the breach of system security. Additionally, if the program had protocols at the time of a system security breach for responding to such breaches and those protocols reasonably complied with the program, the person also has a defense to a claim that it failed to appropriately respond to a breach of system security. Finally, if the program had protocols at the time of the system security breach for notifying an individual about such a breach, those protocols reasonably complied with the program, and the person followed the protocols, the person has a defense to a claim that it failed to appropriately notify an individual whose personal information was compromised in a breach of system security.

For a defendant to be able to invoke the protections of the Act, the written cybersecurity program must provide administrative, technical, and physical safeguards to protect personal information. This includes being designed to protect the security, confidentiality, and integrity of personal information and protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information or a breach of system security. Regular readers of our posts on state privacy and information security laws will recognize the growing consensus across state legislatures to recognize a three-pronged approach (administrative, technical, and physical) to security safeguards. However, state legislatures have not been as consistent in their adoption of the CIA Triad, an information security model that seeks to protect the confidentiality, integrity, and availability of data on a network.  Utah’s law is an example of that small differentiation in the model, replacing availability with security of the data as a requirement of the program.

Utah’s new law also requires a program to reasonably conform to a recognized cybersecurity framework (discussed below) and must be of an appropriate scale and scope in light of (1) the size and complexity of the person, (2) the nature and scope of the activities of the person, (3) the sensitivity of the information to be protected, (4) the cost and availability of tools to improve information security and reduce vulnerability, (5) the resources available to the person.

A program reasonably conforms to a recognized cybersecurity framework if it is designed to protect the type of personal information obtained in the breach of system security, is a reasonable security program, and reasonably conforms to the current version of certain frameworks or publications, including, among others, certain NIST and ISO publications, the Center for Internet Security Critical Security Controls for Effective Cyber Defense (CIS Controls), certain federal or state data protection laws (e.g., HIPAA, GLBA), and the Payment Card Industry Data Security Standards (PCI/DSS). In order for a security program to be considered reasonable, it must include provisions for designating an employee responsible for coordinating the program as well as practices and procedures for detecting, preventing, and responding to a breach of system security. It must also provide for the training and management of employees in these practices and procedures and for the periodic testing, assessment, and, if necessary, adjustment of those practices and procedures.

The Act does not provide any affirmative defense if (1) the person had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information, (2) the person did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard, and (3) the threat or hazard resulted in the breach of system security. Arguably, this exclusion is a reminder that a cybersecurity program is not a “write it and forget it” exercise. To the contrary, it is a risk management tool for a business entity. Of note the Act specifically confirms that a risk assessment to improve the security, confidentiality, or integrity of personal information is not considered to be an actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information.

While the Act, by itself, will likely not stem the tide of data breach litigation, it should provide companies with a meaningful template for reducing their ultimate exposure if a data breach occurs.