States’ Safe Harbor Defense For Data Security Breaches Signals Possible Trend

Lowenstein Sandler LLP

[co-author: Ken Fishkin]

We are now seeing a potential trend where states are incentivizing companies through the creation of safe harbors to improve their cybersecurity posture, instead of penalizing them after a breach of personal information. Utah is the second state to use this model by passing the Cybersecurity Affirmative Defense Act, which provides a safe harbor to companies that maintain “reasonable” cybersecurity controls when managing personal information. This act is an amendment to their existing data breach law and would provide entities an affirmative defense to certain litigation claims.

“Reasonable” cybersecurity controls are defined for purposes of this safe harbor as complying with a written cybersecurity program that meets the following requirements:

  • Designed to protect the type of personal information obtained in the breach of system security
  • Aligns with one or more of the following frameworks:
    • NIST special publication 800-171, 800-53 and 800-53a;
    • Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense;
    • ISO 27000 Family - Information security management systems; or
  • For companies that are state or federally regulated or that are self-regulated, they will need to adhere to HIPAA, GLBA, PCI or other security requirements.

This type of legislation could be a great incentive for unregulated companies throughout the country to start making financial commitments to protect their clients’ and customers’ personal information. What remains unclear is what levels of substantiation will be required of entities asserting this safe harbor defense; however, there is little doubt that maintaining a thorough and up-to-date information security plan and ensuring its compliance through regular and systematic procedures will facilitate safe harbor status.

Utah’s safe harbor law follows Ohio’s 2018 passage of a similar safe harbor Data Protection Act Connecticut is contemplating a similar safe harbor provision law, as well.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Lowenstein Sandler LLP | Attorney Advertising

Written by:

Lowenstein Sandler LLP

Lowenstein Sandler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide