Recent Posts

Popular Topics



Legal developments in data, privacy, cybersecurity, and other emerging technology issues

Utah Becomes Second State to Adopt a Safe Harbor for Compliance with a Written Cybersecurity Program

With the passage of the Cybersecurity Affirmative Defense Act, Utah became the second state – after Ohio’s Data Protection Act in 2018 – to create an affirmative defense to certain causes of action stemming from a data breach.  The law provides an affirmative defense under Utah law and in Utah courts to certain tort claims arising out of a data breach if the company demonstrates that it created, maintained, and reasonably complied with a written cybersecurity program.  

A written cybersecurity program meets the requirements of law if it: 

  • is designed to: (i) protect the security, confidentiality, and integrity of personal information; (ii) protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and (iii) protect against a breach of system security;
  • reasonably conforms a recognized cybersecurity framework such as the NIST Cybersecurity Framework, the ISO 27000 family of information security management systems, or the HIPAA Security Rule; and
  • is of an appropriate scale and scope in light of the following factors: (i) the size and complexity of the person; (ii) the nature and scope of the activities of the person; (iii) the sensitivity of the information to be protected; (iv) the cost and availability of tools to improve information security and reduce vulnerability; and (v) the resources available to the person. 

The affirmative defense does not apply if the company had actual notice of a thread or hazard to the security, confidentiality, or integrity of personal information and the company did not act in a reasonable amount of time to take known remedial efforts to protect the personal information, resulting in a breach of system security.  The law makes clear that a risk assessment to improve the security, confidentiality or integrity of personal information is not considered an actual notice of a threat or hazard to the security, confidentiality or integrity of personal information.

  • Steven M. Wernikoff

    Steve Wernikoff is a litigation and transactional partner who co-leads two of the firm's technology-based practice areas–the Data, Privacy, and Cybersecurity group and the Autonomous Vehicle group. As a previous officer and ...

Jump to Page

By using this site, you agree to our Privacy Policy and our Disclaimer.