Only four months in and 2021 has already been a big year for state cybersecurity safe harbor legislation. Two states, Utah and Connecticut, have recently enacted or introduced a breach litigation safe harbor to incentivize businesses to protect personal information by adopting industry-recognized cybersecurity frameworks such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and the Center for Internet Security’s (CIS) Critical Security Controls.
In March 2021, Utah became the second state, after Ohio, to adopt a cybersecurity safe harbor statute for businesses impacted by a data breach. Specifically, an entity that “creates, maintains, and reasonably complies” with a written cybersecurity program modeled after one of several named cybersecurity frameworks may have an affirmative defense to certain claims if the program is in place at the time it experiences a breach of its system security. “Breach of system security” is defined under the law to mean an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.
To be eligible, the written cybersecurity program must provide administrative, technical, and physical safeguards to protect personal information. Those measures must:
- be designed to protect against the security, confidentiality, and integrity of personal information and anticipated threats and hazards, as well as a breach of system security;
- reasonably conform to an industry-recognized cybersecurity framework such as NIST 800-171 or 800-53, FedRAMP, CIS controls, ISO 27000, and/or PCI DSS, and federal laws including the cybersecurity requirements of HIPAA, the Gramm-Leach-Bliley Act, FISMA, and HITECH, as appropriate; and
- be of “appropriate scale and scope” to the company, the nature of its activities, the sensitivity of the information to be protected, and the tools and resources available to the entity.
The Utah safe harbor only applies to claims based on Utah law or brought in a Utah court. Unlike its Ohio counterpart, however, the Utah safe harbor is not expressly limited to tort claims, potentially broadening its scope to include an affirmative defense against contract claims.
Exceptions to the safe harbor include if a business had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information, or if it did not act in a reasonable amount of time to take known remedial efforts to protect the personal information that resulted in a breach.
Connecticut recently proposed its own safe harbor statute, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses,” H.B. 6607, which effectively mirrors the Ohio law. That is, entities that implement “reasonable cybersecurity controls” and comply with a cybersecurity program modeled on one of the industry-recognized frameworks and/or federal laws may have an affirmative defense to certain claims if the business experiences a data breach of personal or restricted information. “Restricted information” means any unencrypted information about an individual, other than personal information, that could be used to distinguish or trace an individual’s identity or that is linked or linkable to an individual, the breach of which is likely to result in a material risk of identity theft or fraud.
Importantly, as with the Ohio law, the safe harbor only applies to tort claims that are based on Connecticut law or brought in a Connecticut court, which means that there is no affirmative defense against contract claims. If passed, the law would become effective on October 1, 2021.
Overall, the laws and proposed legislation incentivize businesses to invest in heightened protections around personal information by creating an affirmative defense from certain claims if the business experiences a data breach. Given that many states already require a written cybersecurity program as part of their data security laws, it would not be surprising to see other states take a similar approach in the future.