InfoBytes Blog
Utah creates certain affirmative defenses for data breaches
On March 11, the Utah governor signed HB 80, which provides entities an affirmative defense for a data breach if they follow certain cybersecurity industry standards. Among other things, a “person that creates, maintains, and reasonably complies with a written cybersecurity program” that meets specific safeguard requirements to protect personal information and is in place at the time of the data breach has an affirmative defense to claims brought under Utah law or in the courts of the state that allege the person failed to implement reasonable information security controls that resulted in the data breach. A person also has an affirmative defense to claims regarding the failure to appropriately respond to a data breach or provide notice to affected individuals as long as the written cybersecurity program contained specific protocols at the time of the breach that “reasonably complied with the requirements for a written cybersecurity program” for responding to a data breach or for providing notice. HB 80 also outlines the components that a written cybersecurity program must include to be eligible for an affirmative defense, and is effective 60 days following adjournment of the legislature.