Protecting Business from Litigation: Affirmative Defense

Where: Utah

What: HB 158 (2020 | UT) creates an affirmative defense from litigation for businesses that follow state law on maintaining cyber security programs

How does the state define the cyber security programs with which businesses will have to comply?

• conforms to an industry recognized cybersecurity framework
• example programs:
  • NIST special publication 800-171;
  • NIST special publications 800-53 and 800-53a;
  • the Federal Risk and Authorization Management Program Security Assessment Framework;
  • the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or
  • the International Organization for Standardization/International Electrotechnical  Commission 27000 Family – Information security management systems;

• and if the protected personal information is regulated by a government, cybersecurity protection programs must comply with the law