The Matrix

A written cybersecurity program meets the requirements of law if it: 

• is designed to: (i) protect the security, confidentiality, and integrity of personal information; (ii) protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and (iii) protect against a breach of system security;
• reasonably conforms a recognized cybersecurity framework such as the NIST Cybersecurity Framework, the ISO 27000 family of information security management systems, or the HIPAA Security Rule; and
• is of an appropriate scale and scope in light of the following factors: (i) the size and complexity of the person; (ii) the nature and scope of the activities of the person; (iii) the sensitivity of the information to be protected; (iv) the cost and availability of tools to improve information security and reduce vulnerability; and (v) the resources available to the person. 

The affirmative defense does not apply if the company had actual notice of a thread or hazard to the security, confidentiality, or integrity of personal information and the company did not act in a reasonable amount of time to take known remedial efforts to protect the personal information, resulting in a breach of system security.  The law makes clear that a risk assessment to improve the security, confidentiality or integrity of personal information is not considered an actual notice of a threat or hazard to the security, confidentiality or integrity of personal information.