• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

2021 Developments in State Cybersecurity Safe Harbor Laws

April 20, 2021 By Alysa Austin

Only four months in and 2021 has already been a big year for state cybersecurity safe harbor legislation.  Two states, Utah and Connecticut, have recently enacted or introduced a breach litigation safe harbor to incentivize businesses to protect personal information by adopting industry-recognized cybersecurity frameworks such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and the Center for Internet Security’s (CIS) Critical Security Controls.

Utah

In March 2021, Utah became the second state, after Ohio, to adopt a cybersecurity safe harbor statute for businesses impacted by a data breach. Specifically, an entity that “creates, maintains, and reasonably complies” with a written cybersecurity program modeled after one of several named cybersecurity frameworks may have an affirmative defense to certain claims if the program is in place at the time it experiences a breach of its system security. “Breach of system security” is defined under the law to mean an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.

To be eligible, the written cybersecurity program must provide administrative, technical, and physical safeguards to protect personal information. Those measures must:

  • be designed to protect against the security, confidentiality, and integrity of personal information and anticipated threats and hazards, as well as a breach of system security;
  • reasonably conform to an industry-recognized cybersecurity framework such as NIST 800-171 or 800-53, FedRAMP, CIS controls, ISO 27000, and/or PCI DSS, and federal laws including the cybersecurity requirements of HIPAA, the Gramm-Leach-Bliley Act, FISMA, and HITECH, as appropriate; and
  • be of “appropriate scale and scope” to the company, the nature of its activities, the sensitivity of the information to be protected, and the tools and resources available to the entity.

The Utah safe harbor only applies to claims based on Utah law or brought in a Utah court. Unlike its Ohio counterpart, however, the Utah safe harbor is not expressly limited to tort claims, potentially broadening its scope to include an affirmative defense against contract claims.

Exceptions to the safe harbor include if a business had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information, or if it did not act in a reasonable amount of time to take known remedial efforts to protect the personal information that resulted in a breach.

Connecticut

Connecticut recently proposed its own safe harbor statute, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses,” H.B. 6607, which effectively mirrors the Ohio law. That is, entities that implement “reasonable cybersecurity controls” and comply with a cybersecurity program modeled on one of the industry-recognized frameworks and/or federal laws may have an affirmative defense to certain claims if the business experiences a data breach of personal or restricted information. “Restricted information” means any unencrypted information about an individual, other than personal information, that could be used to distinguish or trace an individual’s identity or that is linked or linkable to an individual, the breach of which is likely to result in a material risk of identity theft or fraud.

Importantly, as with the Ohio law, the safe harbor only applies to tort claims that are based on Connecticut law or brought in a Connecticut court, which means that there is no affirmative defense against contract claims. If passed, the law would become effective on October 1, 2021.

Overall, the laws and proposed legislation incentivize businesses to invest in heightened protections around personal information by creating an affirmative defense from certain claims if the business experiences a data breach. Given that many states already require a written cybersecurity program as part of their data security laws, it would not be surprising to see other states take a similar approach in the future.

Filed Under: Cybersecurity, Data Breach Litigation, Data Protection, Data Security

About Alysa Austin

Alysa Austin is an associate with Alston & Bird’s Privacy & Data Security Team and advises clients on cybersecurity compliance, breach investigations and response, online procedures and policies, and vendor contracts.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.