Earlier this year, Utah joined Ohio to become the second state to enact legislation creating an affirmative defense to certain causes of action arising out of a cybersecurity breach. Though not identical, both Utah’s Cybersecurity Affirmative Defense Act (“CADA”) and Ohio’s Data Protection Act (“ODPA”) primarily underscore the importance for organizations to be proactive in assessing their cybersecurity risk landscape and to then adequately address those risks. What makes these two new laws unique is that the affirmative defenses apply across all U.S. jurisdictions and give organizations an opportunity to mitigate against breach-related litigation, including class actions, unless and until a court decides otherwise. To benefit, organizations should ensure they (1) comply with the law and (2) update the choice of law clause in their website terms and conditions.
First, in order to assert the laws’ safe harbor as an affirmative defense, in response to allegations that failure to implement reasonable security controls caused a data breach, organizations must adhere to the laws’ specific requirements. To do so, they must create, maintain and comply with a written cybersecurity program that provides administrative, technical, and physical safeguards to protect personal information and that reasonably conforms to an industry-recognized cybersecurity framework (e.g., NIST special publication 800-171; FedRAMP; or, the ISO 27000 family of standards). This is not an insignificant ask of any organization, but both laws permit organizations the flexibility to tailor their written cybersecurity program in scale and scope depending on several factors, including i) the organization’s size and complexity, ii) the nature and scope of its activities, iii) the sensitivity of the information to be protected, iv) the cost and availability of tools to improve information security and reduce vulnerability and, v) the organization’s resources.
Second, organizations should update their website terms and conditions to reflect that either Utah or Ohio law governs. Both safe harbor laws provide that organizations are entitled to their respective affirmative defense in litigation brought under the laws of the state. Thus, designating either state’s laws as governing interpretation of an agreement, including an organization’s website terms and conditions, should position an organization to benefit from that state’s laws. Utah’s law addresses choice of law provisions explicitly, indicating that designation of Utah as the parties’ choice of the governing state law triggers application of the Cybersecurity Affirmative Defense Act “to the fullest extent possible in a civil action…brought in this state or another state.” See Utah Code § 78B-4-706. It will be interesting to observe how the plaintiffs’ bar responds to this new safe harbor, especially in light of the recent clarification, under the California Privacy Rights Act (“CPRA”), that "implementation and maintenance of reasonable security program . . . following a breach does not constitute a cure with respect to that breach."
The Privacy and Cybersecurity team at Michael Best is available to assist you by assessing your organization’s unique cybersecurity risk profile and, as your situation may indicate, updating your website terms and conditions choice of law provision.