Utah law requires a covered entity to investigate when there is a breach of the entity’s data security system. If the investigation reveals that personal information will likely be misused, then the entity must comply with the state’s data security breach notification requirements. Effective May 5, 2021, the Cybersecurity Affirmative Defense Act (the Act) (“Act”) amends Utah’s data security breach compliance requirements to create affirmative defenses for certain causes of action arising out of a data security breach.
Under the Act, a company that creates, maintains and reasonably complies with a written cybersecurity program that meets certain requirements and that is in place at the time of a breach has an affirmative defense to a claim alleging that the company failed to implement reasonable information security controls, resulting in the breach.
In addition, a company has an affirmative defense to a claim that it failed to appropriately respond to a breach or notify an individual whose personal information was compromised if:
- The company creates, maintains and reasonably complies with a written cybersecurity program that provides administrative, technical, and physical safeguards to protect personal information designed to:
- Protect the security, confidentiality, and integrity of personal information;
- Protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and
- Protect against a breach of system security.
- The written cybersecurity program has protocols for responding to a breach that reasonably complied with the written cybersecurity program, such as practices and procedures to detect, prevent, and respond to breaches, including conducting risk assessments.
The Act also provides requirements that a written cybersecurity program must meet certain requirements to be compliant based on an appropriate scale and scope, which considers:
- A company’s size and complexity;
- The nature and scope of its activities;
- The sensitivity of the information to be protected;
- The cost and availability of tools to improve information security and reduce vulnerability; and
- The company’s resources.
However, the affirmative defense is not available to a business if the business had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information, and the entity did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard, and a security breach resulted.