- In mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80) (“the Act”), an amendment to Utah’s data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such a defense.
- In short, the Act seeks to incentivize individuals, associations, corporations, and other entities (“persons”) to maintain reasonable safeguards to protect personal information by providing an affirmative defense in litigation flowing from a data breach.
- A person that creates, maintains, and reasonably complies with a written cybersecurity program that is in place at the time of the breach will be able to take advantage of an affirmative defense to certain claims under the Act:
- A claim alleging that the person failed to implement reasonable information security controls that resulted in the breach of system security.
- A claim that the person failed to appropriately respond to a breach of system security.
- A claim that the person failed to appropriately notify an individual whose personal information was compromised in a breach of security.
- A person may not claim an affirmative defense, however, if:
- The person had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information;
- The person did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard; and
- The threat or hazard resulted in the breach of system security.
– Joseph J. Lazzarotti and Jason C. Gavejian | April 7, 2021