78B-4-702. Affirmative defense for a breach of system security.
(1) |
A person that creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements of Subsection (4), and is in place at the time of a breach of system security of the person, has an affirmative defense to a claim that:
Terms Used In Utah Code 78B-4-702- Breach of system security: means the same as that term is defined in Section 13-44-102. See Utah Code 78B-4-701
- Person: includes a financial institution organized, chartered, or holding a license authorizing operation under the laws of this state, another state, or another country. See Utah Code 78B-4-701
- Personal information: means the same as that term is defined in Section 13-44-102. See Utah Code 78B-4-701
- State: when applied to the different parts of the United States, includes a state, district, or territory of the United States. See Utah Code 68-3-12.5
(a) |
is brought under the laws of this state or in the courts of this state; and |
(b) |
alleges that the person failed to implement reasonable information security controls that resulted in the breach of system security. |
|
(2) |
A person has an affirmative defense to a claim that the person failed to appropriately respond to a breach of system security if:
(a) |
the person creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements of Subsection (4) and is in place at the time of the breach of system security; and |
(b) |
the written cybersecurity program had protocols at the time of the breach of system security for responding to a breach of system security that reasonably complied with the written cybersecurity program under Subsection (2)(a) and the person followed the protocols. |
|
(3) |
A person has an affirmative defense to a claim that the person failed to appropriately notify an individual whose personal information was compromised in a breach of system security if:
(a) |
the person creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements of Subsection (4) and is in place at the time of the breach of system security; and |
(b) |
the written cybersecurity program had protocols at the time of the breach of system security for notifying an individual about a breach of system security that reasonably complied with the requirements for a written cybersecurity program under Subsection (3)(a) and the person followed the protocols. |
|
(4) |
A written cybersecurity program described in Subsections (1), (2), and (3) shall provide administrative, technical, and physical safeguards to protect personal information, including:
(a) |
being designed to:
(i) |
protect the security, confidentiality, and integrity of personal information; |
(ii) |
protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and |
(iii) |
protect against a breach of system security; |
|
(b) |
reasonably conforming to a recognized cybersecurity framework as described in Subsection 78B-4-703(1); and |
(c) |
being of an appropriate scale and scope in light of the following factors:
(i) |
the size and complexity of the person; |
(ii) |
the nature and scope of the activities of the person; |
(iii) |
the sensitivity of the information to be protected; |
(iv) |
the cost and availability of tools to improve information security and reduce vulnerability; and |
(v) |
the resources available to the person. |
|
|
(5) |
(a) |
Subject to Subsection (5)(b), a person may not claim an affirmative defense under Subsection (1), (2), or (3) if:
(i) |
the person had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information; |
(ii) |
the person did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard; and |
(iii) |
the threat or hazard resulted in the breach of system security. |
|
(b) |
A risk assessment to improve the security, confidentiality, or integrity of personal information is not an actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information. |
|
Enacted by Chapter 40, 2021 General Session