Is a New Privacy Trend on the Rise? What Businesses Can Learn from Utah’s New Data Breach Safe Harbor Law

Luke McDaniels
Fisher Phillips
Contact
LinkedIn
Facebook
X
Send
Embed

Fisher Phillips

A new trend in privacy law appears to be on the horizon. Earlier this year, Utah joined Ohio on the forefront of jurisdictions that provide data breach safe harbors to entities where certain conditions are met. What can your business learn from this new trend – and will it be coming to your state anytime soon?

Utah’s New Safe Harbor Law

Under Utah’s recently passed Cyber Security Affirmative Defense Act, entities that create, maintain, and reasonably comply with a written cybersecurity program may use their compliance with their cybersecurity program as an affirmative defense to data breach claims brought under state law.

For an entity to use the affirmative defense provided by the Act, the written cybersecurity program must:

  • Be designed to protect the security, confidentiality, and integrity of personal information; and
  • Conform to recognized cybersecurity frameworks such as:
    • National Institute for Standards and Technology (“NIST”) special publication 800-171, 800-53, and 800-53a;
    • Center for Internet Security (“CIS”) Critical Security Controls for Effective Cyber Defense; or
    • International Organization for Standardization/International Electrotechnical Commission (“ISO”) 27000 Family- information security management systems.

Entities may also rely upon the affirmative defense where they comply with the requirements of various laws such as:

  • The Health Insurance Portability and Accountability Act;
  • The Gramm-Leach-Billey Act;
  • The Federal Information Security Modernization Act;
  • The Health Information for Economic and Clinical Health Act;
  • The Protection of Personal Information Act; or
  • Any other applicable federal or state regulation.

The affirmative defense, however, is not without its nuances. Specifically, the written cybersecurity program must be the appropriate “scale and scope” for the company based upon several factors. Additionally, the safe harbor may be lost where an entity does not properly respond where they have actual notice of a security threat.

What’s Next?

Data breach safe harbors are a relatively new phenomenon, and thus far exist in just Ohio and Utah. Other states, however, may soon follow suit. In fact, Connecticut’s legislature is currently considering legislation that essentially mirrors Ohio’s safe harbor law.

Even if your business does not operate in safe harbor jurisdiction, it may be beneficial to follow the procedures outlined in these laws. Specifically, following this guidance may reduce your business’s vulnerability to cyber threats and avoid negative publicity regarding the lack of data safeguards. Additionally, to the extent that a breach occurs and a tort-based negligence theory of liability is pursued in court, a company following the steps outlined in the Ohio or Utah laws can argue that they exercised reasonable care to avoid a breach.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fisher Phillips | Attorney Advertising

Written by:

Fisher Phillips
Fisher Phillips
Contact
more
less

Fisher Phillips on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide