The Matrix
{ Blog Post Bio Photo }

Utah Becomes Second State to Adopt a Safe Harbor for Compliance with a Written Cybersecurity Program

Posted by

With the passage of the Cybersecurity Affirmative Defense Act, Utah became the second state – after Ohio’s Data Protection Act in 2018 – to create an affirmative defense to certain causes of action stemming from a data breach.  The law provides an affirmative defense under Utah law and in Utah courts to certain tort claims arising out of a data breach if the company demonstrates that it created, maintained, and reasonably complied with a written cybersecurity program.  

A written cybersecurity program meets the requirements of law if it: 

  • is designed to: (i) protect the security, confidentiality, and integrity of personal information; (ii) protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and (iii) protect against a breach of system security;
  • reasonably conforms a recognized cybersecurity framework such as the NIST Cybersecurity Framework, the ISO 27000 family of information security management systems, or the HIPAA Security Rule; and
  • is of an appropriate scale and scope in light of the following factors: (i) the size and complexity of the person; (ii) the nature and scope of the activities of the person; (iii) the sensitivity of the information to be protected; (iv) the cost and availability of tools to improve information security and reduce vulnerability; and (v) the resources available to the person. 

The affirmative defense does not apply if the company had actual notice of a thread or hazard to the security, confidentiality, or integrity of personal information and the company did not act in a reasonable amount of time to take known remedial efforts to protect the personal information, resulting in a breach of system security.  The law makes clear that a risk assessment to improve the security, confidentiality or integrity of personal information is not considered an actual notice of a threat or hazard to the security, confidentiality or integrity of personal information.

Jump to Page