Last year the FTC mandated what an organization’s written cybersecurity program should include to avoid being deemed “unfair and deceptive” to consumers, and this year California consumers whose personal information is compromised may file lawsuits against organizations that failed to implement “reasonable security.”
But several states provide legal safe harbors to organizations with written cybersecurity programs. Now, Utah is considering joining them. Under House Bill 158, referred to as the Cybersecurity Affirmative Defense Act (the “Proposed Act”), if at the time of a data breach a covered entity has created, maintained, and complied with a written cybersecurity program it has an affirmative defense to a civil tort claim.
Requirements Under the Proposed Act
Under the Proposed Act, a “data breach” would mean unauthorized access that compromises personal information and causes or may cause identity theft or other fraud to an individual or an individual’s property. A covered entity would include:
[A] business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside of this state.
The Proposed Act would require that a covered entity’s written cybersecurity program contain safeguards to protect personal information, and that it be designed to:
- Protect the security and confidentiality of personal information;
- Protect against any anticipated threat or hazard to the security or integrity of personal information; and
- Protect against a data breach of personal information
The Proposed Act would also require that a covered entity’s written cybersecurity program “reasonably conform to an industry recognized cybersecurity framework.” It lists “the framework for improving critical infrastructure developed by NIST” and the “Center for Internet Security Critical Controls for Effective Cyber Defense,” among others. See here, here, and here for brief explanations of frameworks that conform to the Proposed Act.
While it is still too early to predict whether the Proposed Act will be adopted, Utah’s technology-focused economy and early adoption of other cybersecurity and privacy laws suggests it is probable. Utah is the second state to enact the Computer Abuse and Data Recovery Act, whose purpose is to safeguard businesses from the unauthorized use and/or access of computers, platforms, or data, and the first state to enact the Electronic Information or Data Privacy Act, whose purpose is to prohibit law enforcement from obtaining personal electronic information from third-parties without a warrant.
Recent reports have chronicled the devastating impact that ransomware is having on organizations. According to the New York Times,
In 2019, 205,280 organizations submitted files that had been hacked in a ransomware attack — a 41 percent increase from the year before, according to information provided to The New York Times by Emsisoft, a security firm that helps companies hit by ransomware.
To make matters worse, new and more destructive variants of ransomware are emerging. Maze ransomware not only encrypts networks and requires payment for decryption, it infiltrates a network and exfiltrates data beforehand. The ransomware is then deployed, and the bad actors threaten to publicly post the exfiltrated data (which is usually proprietary or personal) if the ransom payment is not promptly paid through an untraceable bitcoin account.
When experiencing a cybersecurity attack involving ransomware, especially the Maze variant, organizations should engage experienced outside counsel to commence an internal investigation and determine what and how it happened, and to:
- Retain technical consultants to negotiate with the threat actors, determine what data was exfiltrated, manage the decryption process, recover and remediate impacted systems, and eliminate the risk of reinfection.
- Leverage relationships with law enforcement to cross-refence elements of the ransomware with databases and obtain helpful information.
- Work with insurers to determine whether and how coverage applies (i.e., cyber risk, kidnap and ransom, cyber extortion, or various other cybercrime policies).
- Establish separate lines of communication for key personnel in case normal lines of communication are compromised during the negotiation or decryption phases.
- Provide advice relating to what, if any, legal obligations have been triggered by the exfiltration of data and the deployment of ransomware.
 Romaine Marshall, Achieving Industry Standards, Global Privacy & Security Blog® (Oct. 28, 2019), https://www.stoelprivacyblog.com/2019/10/articles/privacy/achieving-industry-standards/.
 Romaine Marshall, CCPA Is Here — Is Your Security “Reasonable”?, Global Privacy & Security Blog® (Jan. 7, 2020), https://www.stoelprivacyblog.com/2020/01/articles/uncategorized/ccpa-is-here-is-your-security-reasonable/
 H.B. 158 Data Privacy Amendments, Utah State Legislature, https://le.utah.gov/~2020/bills/static/HB0158.html.
 Utah Code Ann. § 63D-3-104.
 Utah Code Ann. § 77-23c-102.
 See, e.g., Sean Lyngaas, FBI warns U.S. companies about Maze ransomware, appeals for victim data, cyberscoop (Jan. 2, 2020) https://www.cyberscoop.com/fbi-maze-ransomware/.