The global data privacy landscape

In the past five years, the data privacy landscape has changed rapidly and, in some ways, drastically. Following the implementation of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') in 2018, many countries added their own comprehensive data privacy legislation, with some state and provincial governments deciding to offer similar protections to their constituents at the local level. As many of these subsequent laws have been modelled on, or drawn significantly from, the GDPR, an interesting pattern has emerged in the last four years. New legislation often appears designed to address questions that the GDPR had left unanswered or areas where the GDPR is seen as ambiguous. For example, Brazil's Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') deviated from the GDPR by requiring a data protection officer ('DPO') for all organisations processing Brazilian personal data. This may have been in response to the confusion regarding which organisations were required to appoint a DPO under the GDPR. California's landmark data privacy legislation, the California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA'), set dollar amounts and other objective thresholds to make it clear to foreign entities when the CCPA would apply to them, although they were domiciled outside of California. This may have been in response to the conundrum faced by organisations that were unsure whether their data processing in Europe could be considered 'occasional', which would have afforded them an exception to some of the GDPR's extraterritorial reach.

Some more recent data privacy legislation seems to respond to a concern many organisations expressed regarding their exposure to liability for data breaches under the GDPR. Article 82 of the GDPR provides that a data controller or processor is exempt from liability for damage caused by processing that infringes the GDPR only if it is not in any way responsible for the event which gives rise to the damage. The implication is that taking reasonable or even extraordinary steps to protect the personal data may be insufficient to shield an organisation from liability. Various states in the US have decided that, at least under their laws, organisations that have taken certain steps to protect personal data may have an affirmative defence to various data breach claims. In 2021, Utah joined the list of states passing such safe harbor legislation.

Utah's Cybersecurity Affirmative Defense Act

The Act creates affirmative defences to certain causes of action arising out of a 'breach of system security'¹ that are brought in Utah courts or under Utah law.² The Act applies to a person, which it defines as an individual, association, corporation, joint stock company, partnership, business trust, unincorporated organisation, and financial institutions organised, chartered, or holding a license authorising operation under the laws of Utah or another state or country. For convenience purposes, this article refers to such 'person' as an 'organisation'.

Affirmative defences

There are three types of claims to which the Act provides affirmative defences:

• Security failure: The first cause of action to which the Act provides an affirmative defence is a claim that the organisation failed to implement reasonable information security controls, which resulted in the breach of system security. The affirmative defence to such a claim is available to an organisation that creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements of the statute (as further described below) and was in place at the time of the breach of system security.
• Response failure: The second cause of action to which the Act provides an affirmative defence is a claim that the organisation failed to appropriately respond to a breach of system security. In such case, an organisation has an affirmative defence if:
  • the organisation creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements of the statute;
  • the program is in place at the time of the breach of security system;
  • the program had protocols at the time of the breach for responding to a breach that reasonably complied with the written cybersecurity program; and
  • the organisation followed the protocols.
• Notification failure: The third cause of action to which the Act provides an affirmative defence is a claim that the organisation failed to appropriately notify individuals whose personal information³ was compromised in a breach of system security. Like the second affirmative defence outlined above, in order to avail themselves of the affirmative defence, organisations must have:
  • created, maintained, and reasonably complied with a written cybersecurity program that meets the requirements of the statute;
  • had the program in place at the time of the breach;
  • had a program with protocols at the time of the breach for responding to a breach that reasonably complied with the written cybersecurity program;
  • followed the protocols.

It is important to note that an organisation may not claim any of the affirmative defences under the Act if it:

• had actual notice of the threat or hazard to the security, confidentiality, or integrity of personal information;
• did not act in a reasonable amount of time to take known remedial efforts against such threat or hazard; and
• the threat or hazard resulted in the breach of system security.

Presumably to encourage companies to perform risk assessments to improve security, the Act clarifies that a risk assessment to improve security is not considered 'actual notice' of a threat or hazard.

Qualifying cybersecurity program

To qualify for the safe harbor and avail itself of any of the affirmative defences listed above, an organisation must have in place a written cybersecurity program that meets several requirements set forth in the Act.

First, the cybersecurity program must be in writing.

Second, the cybersecurity program must provide administrative, technical, and physical safeguards to protect personal information, including being designed to:

• protect the security, confidentiality, and integrity of personal information;
• protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and
• protect against a breach of system security.

Third, in addition to the above features, the Act requires that the program be of an appropriate scale and scope, considering the company's size, complexity, resources, and the nature and scope of its activities; the sensitivity of the information to be protected; and the cost and availability of tools to improve information security and reduce vulnerability.

Finally, the cybersecurity program must reasonably conform to a recognised cybersecurity framework. This requirement consists of three components:

• The cybersecurity program must be designed to protect the type of personal information obtained in the breach of system security.
• The cybersecurity program must reasonably conform to one of several recognised cybersecurity frameworks, or a combination thereof. The recognised cybersecurity frameworks listed in the Act include, among others:
  • the U.S. Department of Commerce's National Institute of Standards and Technology ('NIST') Special Publication ('SP') 800-171, 800-53, and 800-53a;
  • the Center for Internet Security Critical Security Controls for Effective Cyber Defense ('CIS Controls'); and
  • the International Organization for Standardization/International Electrotechnical Commission ('ISO/IEC') 27000 series.
• The cybersecurity program must be a 'reasonable security program', which the law describes as including, among other things:
  • practices and procedures to detect, prevent, and respond to breaches;
  • training and managing employees in the practices and procedures designed to detect, prevent, and respond to breaches;
  • conducting risks assessments; and
  • periodically adjusting practices and procedures in light of changes or new circumstances affecting the security, confidentiality, and integrity of personal information.

It is important to note that while compliance with the Act can provide affirmative defences to certain claims under Utah law, the Act does not replace or remove compliance obligations imposed separately by state or federal law, such as Health Insurance Portability and Accountability Act of 1996, as amended ('HIPAA'), the Gramm-Leach-Bliley Act of 1999, and Utah's Protection of Personal Information Act ('PPIA'), under §13-44-101 et seq. of Chapter 44 of Title 13 of the Utah Code.

Accepted cybersecurity frameworks

The PPIA is similar to legislation that was passed in 2018 in Ohio. The Ohio Data Protection Act, codified under Chapter 1354 of Title 13 of the Ohio Revised Code ('Ohio DPA') also provides a safe harbor against data breach lawsuits for businesses that implement and maintain cybersecurity programs that meet certain industry-recognised standards.⁴ The two laws are similar in many respects, including recognising the adequacy of the NIST Framework for Improving Critical Infrastructure Cybersecurity ('the NIST Cybersecurity Framework').⁵

Connecticut also passed its own safe harbor legislation in 2021, Connecticut HB No. 6607, An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses ('the Connecticut Cybersecurity Act'), which shares features of Utah's and Ohio's safe harbor laws.¹⁵ The bill established legal safe harbor for organisations that voluntarily adopt recognised cybersecurity best practices (NIST or CIS framework) and implement a written security program.

The following table compares the industry standards accepted under the three state laws,⁷ and shows that they are virtually identical:

The trend toward creating safe harbors for organisations that implement information security controls and adopt robust cybersecurity programs is beginning to appear at the federal level as well. In January 2021, House Resolution ('HR') 7898 was signed into law, providing safe harbor to HIPAA-covered entities and business associates from required audits and breach penalties if they implemented the NIST Cybersecurity Framework within the 12 prior months.⁸

By contrast, California's data protection legislation, the CCPA, does not create safe harbor and thus does not identify specific acceptable frameworks. It does, however, limit the ability of consumers to sue an organisation for a data breach unless the data breach occurred as 'a result of' the business failing to 'implement and maintain reasonable security procedures and practices […]'.⁹ There was a legislative effort in 2019 to amend the CCPA's private right of action to link 'reasonable security procedures and practices' to NIST standards, clarifying that the NIST Cybersecurity Framework and SP 800-171 meet the CCPA's reasonable security procedures standard.¹⁰ However, as of this writing, no such amendments have been adopted.

Best practice example: NIST Standards

One way to meet the PPIA's requirement to implement recognised cybersecurity program under the PPIA is to follow the NIST Cybersecurity Framework, along with the guidance published in a relevant NIST SP. NIST compliance is preferred by many organisations because it is not only recognised as an adequate cybersecurity program under certain state and federal laws, but it is also required for certain federal government contractors.

The NIST Cybersecurity Framework outlines how data needs to be protected to ensure organisational security. The framework includes a five-step procedure for adequately protecting data. The technical details may differ between organisations and industries and are too detailed for the purposes of this publication. However, the following is a quick summary of the steps:

• Identify: identify the data and systems that need to be protected.
• Protect: implement security measures to protect the data.
• Detect: use tools and policies to detect an incident when it happens.
• Respond: develop and follow a plan for responding to a data security threat.
• Recover: in the event of a breach, follow the process outlined by NIST to help the organisation recover.

NIST also outlines how data should be protected in NIST's 800-series of SPs, which are followed by federal agencies. Guidance relevant to organisations seeking to meet the requirements of the PPIA may be found SP 800-171, 'Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations', and SP 800-53, 'Security and Privacy Controls for Information Systems and Organizations'.

Conclusion

As organisations wrestle to meet compliance obligations across jurisdictions during this time of rapid change in data privacy law, a trend toward incentivising and rewarding companies that undertake strong security efforts has emerged. While organisations will not likely have a clear safe harbor across all 50 states anytime soon, the recent adoption of the PPIA demonstrates that the current trend towards such provisions continues. The affirmative defences provided under the PPIA can add an element of stability in a rapidly shifting legal and technological environment. Conveniently, the PPIA includes a choice of law provision that allows organisations that designates Utah as the governing law in an agreement to apply the Act regardless of where the civil action is brought. Considering the protection provided to organisations that meet the requirements of the PPIA, organisations should consider choosing Utah law as the governing law of their agreements.

Clifford F. Blair Shareholder
[email protected]
Rachel Naegeli Associate
[email protected]
Kirton McConkie, St. George

1. Defined as 'an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information' (Utah Code §13-44-102(1)).
2. A choice of law provision in the statute provides that it must be applied to the 'fullest extent possible' in actions brought in other states under an agreement with a Utah choice of law provision (Utah Code §78B-4-705).
3. Defined as first name or initial and last name combined with a social security number, driver license number, or state identification number; a financial account number; or a password. Information contained in governmental records or that is lawfully 'widely distributed' in the media is excluded from the definition of personal information (Utah Code §13-44-102(4)).
4. Ohio Rev. Code §1454.01 et seq.
5. Available at: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
6. Available at: https://www.cga.ct.gov/2021/act/Pa/pdf/2021PA-00119-R00HB-06607-PA.PDF
7. Connecticut Cybersecurity Act §(1)(c)(1)(A); Utah Code §78B-4-703(1)(b)(ii); Ohio Rev. Code §1354.03(A)(1).
8. Act of 5 January 2021, Public Law No. 116-321, 134 Stat. 5072.
9. Cal. Civ. Code §1798.150(a)(1).
10. Assemb. 1035, 2019-2020 Reg. Sess. (Cal. 2019).