Only four months in and 2021 has already been a big year for
state cybersecurity safe harbor legislation. Two states, Utah
and Connecticut, have recently enacted or introduced a breach
litigation safe harbor to incentivize businesses to protect
personal information by adopting industry-recognized cybersecurity
frameworks such as the National Institute of Standards and
Technology's (NIST) Cybersecurity Framework and the Center for
Internet Security's (CIS) Critical Security Controls.
Utah
In March 2021, Utah became the second state, after Ohio, to adopt a cybersecurity safe
harbor statute for businesses impacted by a data breach.
Specifically, an entity that "creates, maintains, and
reasonably complies" with a written cybersecurity program
modeled after one of several named cybersecurity frameworks may
have an affirmative defense to certain claims if the program is in
place at the time it experiences a breach of its system security.
"Breach of system security" is defined under the law to
mean an unauthorized acquisition of computerized data maintained by
a person that compromises the security, confidentiality, or
integrity of personal information.
To be eligible, the written cybersecurity program must provide
administrative, technical, and physical safeguards to protect
personal information. Those measures must:
- be designed to protect against the security, confidentiality,
and integrity of personal information and anticipated threats and
hazards, as well as a breach of system security; - reasonably conform to an industry-recognized cybersecurity
framework such as NIST 800-171 or 800-53, FedRAMP, CIS controls,
ISO 27000, and/or PCI DSS, and federal laws including the
cybersecurity requirements of HIPAA, the Gramm-Leach-Bliley Act,
FISMA, and HITECH, as appropriate; and - be of "appropriate scale and scope" to the company,
the nature of its activities, the sensitivity of the information to
be protected, and the tools and resources available to the
entity.
The Utah safe harbor only applies to claims based on Utah law or
brought in a Utah court. Unlike its Ohio counterpart, however, the
Utah safe harbor is not expressly limited to tort claims,
potentially broadening its scope to include an affirmative defense
against contract claims.
Exceptions to the safe harbor include if a business had actual
notice of a threat or hazard to the security, confidentiality, or
integrity of personal information, or if it did not act in a
reasonable amount of time to take known remedial efforts to protect
the personal information that resulted in a breach.
Connecticut
Connecticut recently proposed its own safe harbor statute,
"An Act Incentivizing the Adoption of Cybersecurity Standards
for Businesses," H.B. 6607, which effectively mirrors the Ohio
law. That is, entities that implement "reasonable
cybersecurity controls" and comply with a cybersecurity
program modeled on one of the industry-recognized frameworks and/or
federal laws may have an affirmative defense to certain claims if
the business experiences a data breach of personal or restricted
information. "Restricted information" means any
unencrypted information about an individual, other than personal
information, that could be used to distinguish or trace an
individual's identity or that is linked or linkable to an
individual, the breach of which is likely to result in a material
risk of identity theft or fraud.
Importantly, as with the Ohio law, the safe harbor only applies
to tort claims that are based on Connecticut law or brought in a
Connecticut court, which means that there is no affirmative defense
against contract claims. If passed, the law would become effective
on October 1, 2021.
Overall, the laws and proposed legislation incentivize
businesses to invest in heightened protections around personal
information by creating an affirmative defense from certain claims
if the business experiences a data breach. Given that many states
already require a written cybersecurity program as part of their
data security laws, it would not be surprising to see other states
take a similar approach in the future.
Originally Published 20 April, 2021
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss