Utah Becomes the Second U.S. State to Establish Affirmative Defenses for Data Breach

March 22, 2021
Hinshaw Privacy & Cyber Bytes

In enacting the Cybersecurity Affirmative Defense Act, HB80, (Act) on March 11, 2021, Utah became the second state in the U.S. to create affirmative defenses for “persons” to certain causes of action arising out of a breach of system security.[1]

“Persons” is defined to include individuals, associations, corporations, partnerships, and other business entities.

The Act provides protection to persons that create, maintain, and reasonably comply with industry-recognized cybersecurity regulations, like the NIST, ISO 2700, and the HIPAA Security Rule, among others identified in the Act. The written cybersecurity program must provide administrative, technical, and physical safeguards to protect personal information.

The Act establishes the following three (3) affirmative defenses to tort-based claims brought under Utah law in a Utah state court:

The affirmative defenses established in the Act are generally not available in circumstances where the person had notice of a threat or hazard.

The Act expressly states that it does not create a private right of action for failing to comply with its provisions.

[1] Ohio was the first state to establish affirmative defenses with the OH Data Protection Act in 2018.