[co-author: Ken Fishkin]

We are now seeing a potential trend where states are incentivizing companies through the creation of safe harbors to improve their cybersecurity posture, instead of penalizing them after a breach of personal information. Utah is the second state to use this model by passing the Cybersecurity Affirmative Defense Act, which provides a safe harbor to companies that maintain “reasonable” cybersecurity controls when managing personal information. This act is an amendment to their existing data breach law and would provide entities an affirmative defense to certain litigation claims.

“Reasonable” cybersecurity controls are defined for purposes of this safe harbor as complying with a written cybersecurity program that meets the following requirements:

• Designed to protect the type of personal information obtained in the breach of system security
• Aligns with one or more of the following frameworks:
  • NIST special publication 800-171, 800-53 and 800-53a;
  • Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense;
  • ISO 27000 Family - Information security management systems; or
• For companies that are state or federally regulated or that are self-regulated, they will need to adhere to HIPAA, GLBA, PCI or other security requirements.

This type of legislation could be a great incentive for unregulated companies throughout the country to start making financial commitments to protect their clients’ and customers’ personal information. What remains unclear is what levels of substantiation will be required of entities asserting this safe harbor defense; however, there is little doubt that maintaining a thorough and up-to-date information security plan and ensuring its compliance through regular and systematic procedures will facilitate safe harbor status.

Utah’s safe harbor law follows Ohio’s 2018 passage of a similar safe harbor Data Protection Act Connecticut is contemplating a similar safe harbor provision law, as well.