Utah Cybersecurity Affirmative Defense Act

Utah Becomes the Second U.S. State to Establish Affirmative Defenses for Data Breach. This new law creates incentive for businesses to develop and implement a written cybersecurity program to protect themselves against data breach lawsuits.

On March 11, Utah governor Spencer Cox signed the Cybersecurity Affirmative Defense Act, which creates affirmative defenses to different causes of action arising out of a breach of system security.

The Act provides 3 affirmative defenses.

The Act establishes the following three (3) affirmative defenses to tort-based claims brought under Utah law in a Utah state court:

• A person that creates, maintains, and reasonably compiles with written industry-recognized cybersecurity regulations that were in place at the time of the breach has an affirmative defense to a claim that the person failed to implement reasonable information security controls that resulted in the breach;
• A person that creates, maintains, and reasonably complies with their program and also had in place protocols for responding to a breach of system security at the time of the breach has an affirmative defense to a claim that the person failed to appropriately respond to a breach of a security system; and
• A person that creates, maintains, and reasonably compiles with their program and also had in place protocols for notifying an individual about a breach at the time of the breach has an affirmative defense to a claim that the person failed to appropriately notify an individual whose personal information was compromised in a breach of a security system.

For a person to be able to invoke the protections of the Act, the written cybersecurity program should provide administrative, technical, and physical protections to safeguard personal information. This includes being designed to protect the security, confidentiality, and integrity of personal information and protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information or a breach of system security.

Jacey Skinner, the chamber’s vice president for public policy and general counsel, said the new protections were “a very positive way to help with the goal of protecting customer information” as opposed to rules that only mete out punishment, usually in the form of fines, if and when computer hacks or other actions lead to the loss of customers’ personal information.