How to Comply With Utah’s New Data Security Law: Cybersecurity Affirmative Defense Act, H.B. 80
September 10, 2021 at 1:00 PM
Employees researching Utah data security laws

A series of detrimental data security breaches in Utah prompted a new line of defense for companies that fall victim to such events. The Cybersecurity Affirmative Defense Act, H.B. 80, is a law that was passed in Utah earlier this year, as a way of protecting companies that subscribe to reasonable cybersecurity protocols. Utah’s new data security law empowers companies to act in their own interest because it is only applicable if the company can show evidence of their security efforts.

To be eligible to reap the benefits of the Cybersecurity Affirmative Defense Act, H.B. 80, following a data security breach, organizations must follow a specific set of guidelines specified by the Utah government. In this article, our cybersecurity experts at It’s Just Results will outline what your company needs to know to comply with this new law.

Select Utah as the governing body for your company

Many modern companies operate entirely virtually, meaning there is no fixed headquarters or location in which the organization can press charges according to local laws. Additionally, a data breach can originate from anywhere in the world. To benefit from Utah’s protective cybersecurity laws, a company must register the state of Utah as the governing body in which laws will apply should a data breach occur. Once this is confirmed, Utah data security laws will apply regardless of the region in which the organization chooses to press charges. It should be noted that other states have their own cybersecurity acts in place, however Utah’s newly passed data security law provides excellent protection against cases of data breach. Selecting a governing body for your company may have other legal and financial implications. Any decisions should be thoroughly researched and made in consultation with an attorney.

Heed warning signs and take action

If your organization has identified a possible data breach, it must be addressed promptly. The state of Utah acknowledges that some warnings signs may be unclear, and may not provide sufficient time for the organization to respond to the threat prior to the security breach. However, in the event that such threats are found to have been ignored for an extended period, the act will not recognize your company as an eligible party. Employees should be instructed to follow a clear protocol in the event that threat indications are received.

Implement a cybersecurity program

The most important guideline detailed in Utah’s Cybersecurity Affirmative Defense Act, H.D. 80, states that companies must have a written cybersecurity program in place to benefit from the new law. The organization must have a clear protocol for protecting sensitive information and detecting potential data security breaches. To ensure the legitimacy of the company’s program, proof of compliance with a recognized cybersecurity framework will be required. Not all frameworks are considered sufficiently comprehensive to qualify a company for protection under this law. It is therefore the responsibility of each company to research eligible frameworks prior to implementation. The bill outlines the following frameworks or publications, which may be used individually or in combination:

  • NIST special publication 800-171
  • NIST special publications 800-53 and 800-53a
  • the Federal Risk and Authorization Management Program Security Assessment Framework
  • the Center for Internet Security Critical Security Controls for Effective Cyber Defense
  • the International Organization for Standardization/International Electrotechnical Commission 27000 Family - Information security management systems

Consider the scale of the company

Even with an extensive cybersecurity program in place, many companies fail to account for the volume of data that will be stored within the organization. A security breach may be the result of a failure to protect all stored data adequately. In such a case, the law will not provide defense. To avoid falling into this situation, companies should regularly audit their data security mechanisms. This is particularly important when companies experience rapid growth and/or expand into new branches of operation.

Protect your company with a compliance assessment

Data security laws in Utah are complex, and companies need to seek compliance proactively to be eligible for protection. A compliance assessment can give you the information you need to take action. Once your data has been compromised, it will be too late. Contact us today to schedule a compliance assessment.