How to Comply With Utah’s New Data Security Law: Cybersecurity Affirmative Defense Act, H.B. 80
September 10, 2021 at 1:00 PM
Employees researching Utah data security laws

A series of detrimental data security breaches in Utah have prompted a new line of defense for companies that fall victim to such events. Namely, the Cybersecurity Affirmative Defense Act, H.D. 80 is a law that was passed in Utah earlier this year, as a way of protecting companies that subscribe to reasonable cybersecurity protocols. Utah’s new data security law empowers companies, however it is only applicable in cases where the company can prove their security efforts.

To be eligible to reap the benefits of the Cybersecurity Affirmative Defense Act, H.B. 80 following a data security breach, organizations must follow a specific set of guidelines specified by the Utah government. In this article, our cybersecurity experts at It’s Just Results will explain everything your company needs to know to comply with this new law.

Select Utah as the governing body for your company

Many modern companies operate entirely remotely, meaning there is no fixed location in which the organization can press charges according to local laws. Additionally, there is no telling where a data breach will take place. To benefit from Utah’s protective cybersecurity laws, the company must register the state of Utah as the governing body in which laws will apply should a data breach occur. Once this is confirmed, Utah data security laws will apply regardless of the region in which the organization chooses to press charges. It should be noted that other states have their own cybersecurity acts in place, however Utah’s newly passed data security law provides excellent protection against cases of data breach.

Address warnings

If your organization receives a notice stating that a data breach is going to occur, it is important to address it promptly. The state of Utah acknowledges that some warnings are unclear, and that there may not be enough time for the organization to respond to the threat prior to the security breach. However, in the event that such threats are ignored for an extended period of time, the act will not recognize your company as an eligible party. Employees should be instructed to follow a clear protocol in the event that warnings are received.

Implement a cybersecurity program

The most important guideline detailed in Utah’s Cybersecurity Affirmative Defense Act, H.D. 80 states that companies must have a written cybersecurity program in place to benefit from the new law. The organization must have a clear protocol for protecting sensitive information, and detecting potential data security breaches. To ensure the legitimacy of the company’s program, proof of compliance with a recognized cybersecurity framework will be required. Not all frameworks however, are considered comprehensive enough to qualify for this law. It is therefore the responsibility of each company to research eligible frameworks prior to implementation.

Consider the scale of the company

Although an extensive cybersecurity program may be in place, many companies fail to account for the amount of data that will be stored within the organization. Therefore, a security breach may be the result of a failure to provide protection for the entire amount of stored data. If this is the case, the law can not be used as a line of defense. To avoid this, companies should reassess their data security mechanisms on a regular basis. This is particularly important as companies begin to grow and expand into new branches of operation.

Protect your company with a compliance assessment

Data security laws in Utah are complex, and you do not want to find out that your company has failed to comply with a protective act once your data has been compromised. Contact us today to schedule a compliance assessment.