When a business suffers a data breach, the business not only is victimized by the breach, but also might be sued if any personal or other confidential information was exposed. If the business can show it acted reasonably in protecting the information and suffered the breach anyway, however, the business could prevail in the lawsuit. The question then becomes: How does the business show it acted reasonably in protecting the information?
In March 2021, Utah passed a law to answer this question. The Utah Cybersecurity Affirmative Defense Act creates an “affirmative defense” for businesses defending data breach lawsuits. Utah will join Ohio as the two states whose laws give businesses a statutory affirmative defense if the business is sued after a data breach, but can show it had a legally sufficient cybersecurity program.
To qualify for the affirmative defense under the Utah and Ohio laws, the business’s cybersecurity program must be in writing and comply with one or more of the following frameworks:
- If the business complies with a specifically listed cybersecurity framework or publication, such as, for example, the National Institute of Standards and Technology in the United States Department of Commerce (“NIST”) special publication 800-171, the Center for Internet Security critical security controls for effective cyber defense (“CIS Controls”), or the Payment Card Industry Data Security Standards (“PCI-DSS”), the business may qualify to assert this affirmative defense.
- If the business is subject to and complies with certain federal regulations, such as, for example, HIPAA for healthcare providers or the Gramm-Leach-Bliley Act for financial institutions, the business may qualify for this affirmative defense.
- Another way to qualify for this affirmative defense under the Utah law is to implement a “reasonable” cybersecurity program. A “reasonable” cybersecurity program must include procedures to detect, prevent, and respond to a data breach; employee training; risk assessments; and adjustments to new or changing circumstances to protect personal information.
Because using one or more of these frameworks may create an affirmative defense to a data breach lawsuit in Utah or Ohio, businesses operating nationwide would be wise to consider these requirements in developing their cybersecurity programs.
The above is a summary of key provisions, not a full recitation, of the Utah and Ohio statutes on this issue, and other requirements and exceptions may apply. Data privacy and cybersecurity laws in the United States often are described as a “patchwork,” because they differ between jurisdictions and industries. We expect this patchwork to continue for the foreseeable future, and uniform federal legislation in this space appears unlikely anytime soon.
We advise clients in various industries with cybersecurity matters, including drafting internal and external policies. Please feel free to contact us for more information.