On March 11, 2021, Utah joined Ohio to become one of two states nationally to offer an affirmative defense to lawsuits filed under tort law by individuals affected by a data security incident. Utah’s newly enacted Cybersecurity Affirmative Defense Act provides the incentive of affirmative defense to both individuals and business entities. Although they operate in the minority with their non-punitive approaches, Ohio and Utah seek to incentivize covered entities to do the best they can to prevent and foresee cybersecurity incidents.
By way of background, Ohio passed the Ohio Data Protection Act in 2018 in a move that contrasted the contemporaneously passed California Consumer Privacy Act (CCPA). Unlike the CCPA, Ohio’s legislation does not institute mandatory minimums for compliance, but rather presents an affirmative defense to avoid liability if a business entity creates, maintains and adheres to a written cybersecurity program that “reasonably” complies with one of several industry-recognized cybersecurity frameworks, such as NIST (the National Institute of Standards and Technology). The Ohio Data Protection Act covers any business entity that “accesses, maintains, communicates, or processes personal information or restricted information.” A program reasonably complies with Ohio’s Act when it is appropriate in the context of the business’s scope and needs. Additionally, the program will satisfy eligibility standards if it is designed to: protect the security and confidentiality of personal information; protect against any anticipated threats or hazards; and prevent unauthorized access to and acquisition of information posing a material risk for identity theft or fraud.
To qualify for the affirmative defense under Ohio’s scheme, a suit brought against a covered entity must: (1) be based in tort law; (2) be brought under Ohio law or in its courts; and (3) allege that a failure to “implement reasonable information security controls resulted in a data breach concerning personal information or restricted information.” If a covered entity satisfies all the requirements of the Act and the suit meets this criteria, the entity will be entitled to use the affirmative defense to refute allegations that the entity failed to implement reasonable measures to protect information and that failure resulted in a data security incident.
Expanding upon Ohio’s Act, Utah’s new Cybersecurity Affirmative Defense Act (CADA) covers both individuals and business entities (collectively defined as “persons” under the Act). Under CADA, if a covered “person” creates and maintains a written cybersecurity policy “reasonably” compliant with industry-trusted cybersecurity policies and regulations, they are able to raise three affirmative defenses. Like Ohio’s Act, Utah’s CADA does not establish mandatory minimum standards for these written policies. However, the policy must supply administrative, physical and technical protections for personal information. If a covered “person” faces suit in Utah courts under Utah tort law, there are three scenarios that would permit an affirmative defense to be raised:
- Where the person’s program reasonably complies with written industry-recognized regulations in place at the time of the breach, they may possess a defense to claims alleging a failure to implement information security safeguards;
- Where a person reasonably complies with their existent and maintained program, and they also previously implemented breach response protocols in place at the time of the incident, they may affirmatively defend against claims alleging inappropriate response to an incident; and
- Where the person created, maintained and reasonably complied with their program, and had protocols implemented at the time of the breach that established notification methods, they may raise an affirmative defense to claims alleging failure to notify an affected individual during a data security incident.
Importantly, while CADA does not create a private right of action (contrary to legislation such as California’s CCPA), a covered “person” cannot raise the affirmative defenses where they held notice of a threat to the retained information’s security.
What does this mean for companies worried about the swirling tempest that is a data security incident? If you operate in Ohio or Utah, create a written information security policy; implement incident response protocols; and establish notification procedures. In other words: practice reasonable data security.
The shift in industry syntax from “if” to “when,” in regards to a data security incident’s occurrence, highlights the practicality and pragmatism of the policies promulgated by these two states. It is nearly impossible to safeguard against all potential threats; likewise, even the best laid plans (of response and notification) can go awry. The approaches advanced by Ohio and Utah balance interests of data security with a different focus than their sister states—but, they nonetheless seek the same outcome: protecting sensitive and confidential information.