As States Offer Data Breach ‘Safe Harbors,' Not All Companies Are Receptive | Legaltech News
As States Offer Data Breach ‘Safe Harbors,' Not All Companies Are Receptive
Utah recently became the second state to enact an affirmative defense for data breaches. But complicated compliance and added responsibilities might scare some companies off from leveraging the legal mechanism.
By Victoria Hudgins | April 23, 2021 at 08:00 AM
While federal lawmakers might be hesitant to enact national data privacy legislation, some states are quickly moving to define reasonable cybersecurity—and protect those that adhere to them. But even as legislators extend “safe harbor” protections to encourage cybersecurity, lawyers noted some companies might ignore the incentive to avoid burdensome responsibilities.
In March, Utah joined Ohio in enacting a safe harbor provision that can grant compliant companies an affirmative defense to litigation stemming from a data breach. To obtain that legal defense, companies must adhere to a “reasonable security” program. Utah legislators defined a reasonable cybersecurity plan, in part, as measures that protect personal information, have protocols for responding to breaches and notifying impacted individuals, and reasonably conforms to “recognized cybersecurity frameworks,” such as National Institute for Standards and Technology (NIST) programs.
Exterro product marketing manager Dan Sholler said the Utah measure hints at an ideology spreading in state legislatures to address budding privacy concerns.
Utah recently became the second state to enact an affirmative defense for data breaches. But complicated compliance and added responsibilities might scare some companies off from leveraging the legal mechanism.
By Victoria Hudgins | April 23, 2021 at 08:00 AM
While federal lawmakers might be hesitant to enact national data privacy legislation, some states are quickly moving to define reasonable cybersecurity—and protect those that adhere to them. But even as legislators extend “safe harbor” protections to encourage cybersecurity, lawyers noted some companies might ignore the incentive to avoid burdensome responsibilities.
In March, Utah joined Ohio in enacting a safe harbor provision that can grant compliant companies an affirmative defense to litigation stemming from a data breach. To obtain that legal defense, companies must adhere to a “reasonable security” program. Utah legislators defined a reasonable cybersecurity plan, in part, as measures that protect personal information, have protocols for responding to breaches and notifying impacted individuals, and reasonably conforms to “recognized cybersecurity frameworks,” such as National Institute for Standards and Technology (NIST) programs.
Exterro product marketing manager Dan Sholler said the Utah measure hints at an ideology spreading in state legislatures to address budding privacy concerns.