Utah Creates Safe Harbor for Companies Facing Data-Breach Litigation shrm.org - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from shrm.org Daily Mail and Mail on Sunday newspapers.
[co-author: Ken Fishkin]
We are now seeing a potential trend where states are incentivizing companies through the creation of safe harbors to improve their cybersecurity posture, instead of penalizing them after a breach of personal information. Utah is the second state to use this model by passing the Cybersecurity Affirmative Defense Act, which provides a safe harbor to companies that maintain “reasonable” cybersecurity controls when managing personal information. This act is an amendment to their existing data breach law and would provide entities an affirmative defense to certain litigation claims.
“Reasonable” cybersecurity controls are defined for purposes of this safe harbor as complying with a written cybersecurity program that meets the following requirements:
To embed, copy and paste the code into your website or blog:
In mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80) (“the Act”), an amendment to Utah’s data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such a defense.
In short, the Act seeks to incentivize individuals, associations, corporations, and other entities (“persons”) to maintain reasonable safeguards to protect personal information by providing an affirmative defense in litigation flowing from a data breach. More specifically, a person that creates, maintains,
Wednesday, April 7, 2021
In mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80) (“the Act”), an amendment to Utah’s data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such a defense.
In short, the Act seeks to incentivize individuals, associations, corporations, and other entities (“persons”) to maintain reasonable safeguards to protect personal information by providing an affirmative defense in litigation flowing from a data breach. More specifically, a person that creates, maintains,
and reasonably complies with a written cybersecurity program that is in place at the time of the breach will be able to take advantage of an affirmative defense to certain claims under the Act: