Utah Becomes the Second U.S. State to Establish Affirmative Defenses for Data Breach
Privacy, Cyber & AI Decoded Alert | 1 min read
Mar 22, 2021
In enacting the Cybersecurity Affirmative Defense Act, HB80, (Act) on March 11, 2021, Utah became the second state in the U.S. to create affirmative defenses for “persons” to certain causes of action arising out of a breach of system security.[1]
“Persons” is defined to include individuals, associations, corporations, partnerships, and other business entities.
The Act provides protection to persons that create, maintain, and reasonably comply with industry-recognized cybersecurity regulations, like the NIST, ISO 2700, and the HIPAA Security Rule, among others identified in the Act. The written cybersecurity program must provide administrative, technical, and physical safeguards to protect personal information.
The Act establishes the following three (3) affirmative defenses to tort-based claims brought under Utah law in a Utah state court:
- A person that creates, maintains, and reasonably compiles with written industry-recognized cybersecurity regulations that were in place at the time of the breach has an affirmative defense to a claim that the person failed to implement reasonable information security controls that resulted in the breach;
- A person that creates, maintains, and reasonably complies with their program and also had in place protocols for responding to a breach of system security at the time of the breach has an affirmative defense to a claim that the person failed to appropriately respond to a breach of a security system; and
- A person that creates, maintains, and reasonably compiles with their program and also had in place protocols for notifying an individual about a breach at the time of the breach has an affirmative defense to a claim that the person failed to appropriately notify an individual whose personal information was compromised in a breach of a security system.
The affirmative defenses established in the Act are generally not available in circumstances where the person had notice of a threat or hazard.
The Act expressly states that it does not create a private right of action for failing to comply with its provisions.
[1] Ohio was the first state to establish affirmative defenses with the OH Data Protection Act in 2018.
Related Capabilities
Featured Insights
Press Release
May 20, 2026
Hinshaw Releases America 250 Book Exploring Insurance's Role in Building the United States
Consumer Crossroads: Where Financial Services and Litigation Intersect
May 19, 2026
OCC's Final Escrow-Interest Preemption Rules Bolster the Second Circuit’s Cantero Decision
Webinar
May 19, 2026
Scott Seaman Speaks on Making Decisions in Difficult Risk Environments
Press Release
May 20, 2026
Hinshaw Releases America 250 Book Exploring Insurance's Role in Building the United States
Consumer Crossroads: Where Financial Services and Litigation Intersect
May 19, 2026
OCC's Final Escrow-Interest Preemption Rules Bolster the Second Circuit’s Cantero Decision
Webinar
May 19, 2026
Scott Seaman Speaks on Making Decisions in Difficult Risk Environments
Consumer Crossroads: Where Financial Services and Litigation Intersect
May 14, 2026
Key Takeaways from the 2026 MBA Legal Issues and Regulatory Compliance Conference
Consumer Crossroads: Where Financial Services and Litigation Intersect
May 14, 2026
SCOTUS Confirms: Federal Courts Retain Power to Affirm or Vacate an Arbitration Decision
Event
May 14-15, 2026
In The News
May 13, 2026
Hinshaw Contributes Chapters to “Wrongful-Death and Survival Actions” IICLE Handbook
In The News
May 12, 2026
Hinshaw GC Steve Puiszis Discusses Protecting Attorney-Client Privilege in an AI Age
Event
May 12-13, 2026
Mitchel Chargo Speaks on the Rapidly Evolving Cannabis Industry
Consumer Crossroads: Where Financial Services and Litigation Intersect
May 11, 2026
Tennessee Reaches Settlement with Mariner in Multistate UDAAP Enforcement Action
Press Release
May 11, 2026
Ali Degan Elected to the Fellows of the American Bar Foundation
Press Release
May 11, 2026
John Weedon Re-Elected to the Jacksonville Bar Association’s Board of Governors in 2026
