Pub. 16 2021-22 Issue 1

NEBRASKA BANKERS ASSOCIATION 13 COUNSELOR’S CORNER — continued on page 14 State Safe Harbor Laws A new Utah law is entitled the Cybersecurity Affirmative Defense Act (HB80) and it amends Utah’s data breach notification statute. This new law provides an affirmative defense for companies facing lawsuits which allege: • The company failed to implement reasonable information security; • The company failed to appropriately respond to a data breach; or, • The company failed to appropriately notify affected individuals. The law, however, only provides an affirmative defense if the company can prove: • They created and maintained a written cybersecurity program; • The program reasonably complied with a recognized cybersecurity framework; • The framework was in place at the time of the breach; • The cybersecurity program had protocols for responding to a breach of system security; and, • The company followed the protocols. 3 The law defines a cybersecurity program as one which reasonably conforms with frameworks such as: • National Institute of Standards and Technologies (NIST) frameworks such as 800-53, 800-171: • Federal Risk and Authorization Management Program Security Assessment Framework (FedRAMP); • Center for Internet security (CIS) critical security controls; or the • International Organization for Standardization (ISO) 27,000 family of controls. In 2018, Ohio passed a similar statute. 4 The Ohio law provides for an affirmative defense for businesses that: Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework. 5 There is some flexibility in these statutes. Companies are not forced to adopt and implement an entire framework, but rather they need only reasonably comply. Both statutes allow companies to customize their policy and tailor their approach. Utah and Ohio allow businesses to tailor their approach using criteria such as: • The size and complexity of the entity; • The nature and scope of the activities of the entity; • The sensitivity of the information to be protected; • The cost and availability of tools to improve information security and reduce vulnerabilities; and • The resources available to the entity. 6 The flexibility in this approach recognizes the limitations to small or medium-sized organizations’ resources while still providing protections from litigation. Connecticut is also considering a similar statue. 7 The proposed Connecticut law offers an affirmative defense if: [The] covered entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework. 8 The Connecticut law outlines a similar set of cybersecurity frameworks, such as NIST, ISO or FedRAMP, and, like Utah and Ohio, allows flexibility based on size and complexity of the organization, sensitivity of the data, cost and availability of tools and the resources of the entity. Federal Safe Harbor Laws Earlier this year, the federal government passed, and the president signed into law, the so-called HIPAA Safe Harbor