Today, the question is no longer a matter of “if,” but “when,” a company will fall victim to a successful security incident. Over the years, lawmakers have struggled with devising effective methods and incentives for companies to enhance their data protection programs without mandating one-size-fits-all requirements that undercut effective data security management.

Earlier this year, Utah enacted a new data security statute—the Utah Cybersecurity Affirmative Defense Act (“CADA”)—which accomplishes just that goal. With the CADA—the second law of its kind to be enacted in the United States—Utah businesses are now afforded a safe harbor against certain causes of action that commonly arise in data breach class action litigation where the entity maintains reasonable data protection measures to safeguard sensitive personal information at the time of the incident. From a broader perspective, the passage of the CADA may influence other states to follow Utah’s lead and enact similar laws of their own.

Originally published in the ABA TIPS Cybersecurity & Data Privacy Committee Newsletter (Summer 2021).