Recent Posts

Popular Topics



Legal developments in data, privacy, cybersecurity, and other emerging technology issues

Utah Becomes Second State to Adopt a Safe Harbor for Compliance with a Written Cybersecurity Program

With the passage of the Cybersecurity Affirmative Defense Act, Utah became the second state – after Ohio’s Data Protection Act in 2018 – to create an affirmative defense to certain causes of action stemming from a data breach.  The law provides an affirmative defense under Utah law and in Utah courts to certain tort claims arising out of a data breach if the company demonstrates that it created, maintained, and reasonably complied with a written cybersecurity program.  

A written cybersecurity program meets the requirements of law if it: 

  • is designed to: (i) protect the security, confidentiality, and integrity of personal information; (ii) protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and (iii) protect against a breach of system security;
  • reasonably conforms a recognized cybersecurity framework such as the NIST Cybersecurity Framework, the ISO 27000 family of information security management systems, or the HIPAA Security Rule; and
  • is of an appropriate scale and scope in light of the following factors: (i) the size and complexity of the person; (ii) the nature and scope of the activities of the person; (iii) the sensitivity of the information to be protected; (iv) the cost and availability of tools to improve information security and reduce vulnerability; and (v) the resources available to the person. 

The affirmative defense does not apply if the company had actual notice of a thread or hazard to the security, confidentiality, or integrity of personal information and the company did not act in a reasonable amount of time to take known remedial efforts to protect the personal information, resulting in a breach of system security.  The law makes clear that a risk assessment to improve the security, confidentiality or integrity of personal information is not considered an actual notice of a threat or hazard to the security, confidentiality or integrity of personal information.

  • Steven M. Wernikoff

    Steve Wernikoff is a litigation and compliance partner who co-leads the Data, Privacy, and Cybersecurity practice and the Autonomous Vehicle group. As a previous senior enforcement attorney at the Federal Trade Commission's ...

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.