2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill creates affirmative defenses to certain causes of action arising out of a data
10 breach.
11 Highlighted Provisions:
12 This bill:
13 ▸ defines terms;
14 ▸ creates affirmative defenses to causes of action arising out a data breach involving
15 personal information, restricted information, or both personal information and
16 restricted information;
17 ▸ establishes the requirements for asserting an affirmative defense;
18 ▸ provides that the creation of an affirmative defense does not create a cause of action
19 for failure to comply with the requirements for asserting the affirmative defense;
20 and
21 ▸ provides a severability clause.
22 Money Appropriated in this Bill:
23 None
24 Other Special Clauses:
25 None
26 Utah Code Sections Affected:
27 ENACTS:
28 78B-4-701, Utah Code Annotated 1953
29 78B-4-702, Utah Code Annotated 1953
30 78B-4-703, Utah Code Annotated 1953
31 78B-4-704, Utah Code Annotated 1953
32 78B-4-705, Utah Code Annotated 1953
33
34 Be it enacted by the Legislature of the state of Utah:
35 Section 1. Section 78B-4-701 is enacted to read:
36
37 78B-4-701. Definitions.
38 As used in this part:
39 (1) (a) "Business" means:
40 (i) an association;
41 (ii) a corporation;
42 (iii) a limited liability company;
43 (iv) a limited liability partnership;
44 (v) a sole proprietorship;
45 (vi) another group, however organized and whether operating for profit or not for
46 profit; or
47 (vii) a parent or subsidiary of any of the entities described in Subsections (1)(a)(i)
48 through (vi).
49 (b) "Business" includes a financial institution organized, chartered, or holding a license
50 authorizing operation under the laws of this state, another state, or another country.
51 (2) "Covered entity" means a business that accesses, maintains, communicates, or
52 processes personal information or restricted information in or through one or more systems,
53 networks, or services located in or outside of this state.
54 (3) (a) "Data breach" means the unauthorized access to or acquisition of electronic data
55 that:
56 (i) compromises the security or confidentiality of personal information or restricted
57 information owned by or licensed to a covered entity; and
58 (ii) causes, is reasonably believed to have caused, or is reasonably believed will cause a
59 material risk of identity theft or other fraud to an individual or an individual's property.
60 (b) "Data breach" does not include:
61 (i) good faith acquisition of personal information or restricted information by the
62 covered entity's employee or agent for a purpose of the covered entity if the personal
63 information or restricted information is not used for an unlawful purpose or subjected to further
64 unauthorized disclosure; or
65 (ii) acquisition of personal information or restricted information pursuant to:
66 (A) a search warrant, subpoena, or other court order; or
67 (B) a subpoena, order, or duty of a federal or state agency.
68 (4) (a) "Data item" means:
69 (i) a social security number;
70 (ii) a birth date;
71 (iii) a driver license number or state identification number; or
72 (iv) a financial account number or credit or debit card number when combined with
73 any required security code, access code, or password that is necessary to permit access to an
74 individual's financial account.
75 (b) "Data item" does not include an item described in Subsection (4)(a) if the item is
76 encrypted, redacted, or altered by any method or technology that makes the item unreadable.
77 (5) "Encrypted" means transformed, using an algorithmic process, into a form that has
78 a low probability of assigning meaning without the use of a confidential process, access key, or
79 password.
80 (6) "Individual's name" means:
81 (a) the individual's first name and last name; or
82 (b) the individual's last name and the initial of the individual's first name.
83 (7) "NIST" means the National Institute of Standards and Technology.
84 (8) "PCI data security standard" means the Payment Card Industry Data Security
85 Standard.
86 (9) (a) "Personal information" means an individual's name when combined with one or
87 more data items.
88 (b) "Personal information" does not include publicly available information that is
89 lawfully made available to the general public from federal, state, or local records or any of the
90 following media that are widely distributed:
91 (i) a news, editorial, or advertising statement published in a bona fide newspaper,
92 journal, magazine, or broadcast over radio or television;
93 (ii) a gathering or furnishing of information or news by a bona fide reporter,
94 correspondent, or news bureau to news media described in Subsection (9)(b)(i);
95 (iii) a publication designed for and distributed to members of a bona fide association or
96 charitable or fraternal nonprofit corporation; or
97 (iv) any type of media that is substantially similar in nature to any item, entity, or
98 activity described in Subsection (9)(b)(i) through (iii).
99 (10) "Redact" means to alter or truncate a data item so that no more than:
100 (a) the last four digits of a social security number, driver license number, state
101 identification number, financial account number, or credit or debit card number is accessible;
102 or
103 (b) the last six digits of a birth date is accessible.
104 (11) "Restricted information" means any information, other than personal information,
105 about an individual that:
106 (a) (i) alone, or in combination with other information, including personal information,
107 can be used to distinguish or trace the individual's identity; or
108 (ii) is linked or linkable to an individual;
109 (b) is not encrypted, redacted, or altered by a method or a technology that makes the
110 information unreadable; and
111 (c) if accessed or acquired without authority, is likely to result in a material risk of
112 identity theft or fraud to the individual or the individual's property.
113 Section 2. Section 78B-4-702 is enacted to read:
114 78B-4-702. Affirmative defense for a data breach of cyber data.
115 (1) A covered entity that creates, maintains, and complies with a written cybersecurity
116 program that meets the requirements of Subsection (3) and is in place at the time of a data
117 breach of the covered entity has an affirmative defense to a civil tort claim that:
118 (a) is brought under the laws of this state or in the courts of this state;
119 (b) alleges that the covered entity failed to implement reasonable information security
120 controls;
121 (c) alleges that the failure described in Subsection (1)(b) resulted in a data breach of
122 personal information; and
123 (d) does not allege a data breach of restricted information.
124 (2) A covered entity that creates, maintains, and complies with a written cybersecurity
125 program that meets the requirements of Subsection (4) and is in place at the time of a data
126 breach of the covered entity has an affirmative defense to a civil tort claim that:
127 (a) is brought under the laws of this state or in the courts of this state; and
128 (b) alleges that the covered entity failed to implement reasonable information security
129 controls that resulted in a data breach of personal information and restricted information.
130 (3) A written cybersecurity program described in Subsection (1) shall contain
131 administrative, technical, and physical safeguards to protect personal information, including:
132 (a) being designed to:
133 (i) protect the security and confidentiality of personal information;
134 (ii) protect against any anticipated threat or hazard to the security or integrity of
135 personal information; and
136 (iii) protect against a data breach of personal information;
137 (b) reasonably conform to an industry recognized cybersecurity framework as
138 described in Section 78B-4-704; and
139 (c) being of an appropriate scale and scope in light of the following factors:
140 (i) the size and complexity of the covered entity;
141 (ii) the nature and scope of the activities of the covered entity;
142 (iii) the sensitivity of the information to be protected;
143 (iv) the cost and availability of tools to improve information security and reduce
144 vulnerability; and
145 (v) the resources available to the covered entity.
146 (4) A written cybersecurity program described in Subsection (2) shall meet the
147 requirements described in Subsection (3), except that the requirements of Subsection (3) shall
148 apply to both personal information and restricted information.
149 Section 3. Section 78B-4-703 is enacted to read:
150 78B-4-703. Components of a cybersecurity program eligible for an affirmative
151 defense.
152 (1) Subject to Subsection (2), a covered entity's written cybersecurity program
153 reasonably conforms to an industry recognized cybersecurity framework if the written
154 cybersecurity program:
155 (a) is designed to protect the type of personal information and restricted information
156 obtained in the data breach;
157 (b) reasonably conforms to the current version of any of the following frameworks or
158 publications, or any combination of the following frameworks or publications:
159 (i) the framework for improving critical infrastructure cybersecurity developed by
160 NIST;
161 (ii) NIST special publication 800-171;
162 (iii) NIST special publications 800-53 and 800-53a;
163 (iv) the Federal Risk and Authorization Management Program Security Assessment
164 Framework;
165 (v) the Center for Internet Security Critical Security Controls for Effective Cyber
166 Defense; or
167 (vi) the International Organization for Standardization/International Electrotechnical
168 Commission 27000 Family - Information security management systems;
169 (c) for personal information or restricted information obtained in the data breach that is
170 regulated by the federal government or state government, reasonably complies with the
171 requirements of the regulation, including:
172 (i) the security requirements of the Health Insurance Portability and Accountability Act
173 of 1996, as described in 45 C.F.R. Part 164, Subpart C;
174 (ii) Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, as amended;
175 (iii) the Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283;
176 (iv) the Health Information Technology for Economic and Clinical Health Act, as set
177 forth in 45 C.F.R. Part 164; or
178 (v) any other applicable federal or state regulation; and
179 (d) for personal information or restricted information obtained in the data breach that is
180 the type of information intended to be protected by the PCI data security standard, reasonably
181 complies with the current version of the PCI data security standard.
182 (2) (a) If an industry recognized cybersecurity framework described in Subsection (1) is
183 revised or amended, a covered entity with a written cybersecurity program that reasonably
184 conforms to the industry recognized cybersecurity framework that is revised or amended shall
185 reasonably conform to the revised industry recognized cybersecurity framework no later than
186 one year from:
187 (i) for an industry recognized cybersecurity framework described in Subsection
188 (1)(b)(i), the day on which the revision is published;
189 (ii) for an industry recognized cybersecurity framework described in Subsection
190 (1)(b)(ii), the effective date of the amended law; or
191 (iii) for an industry recognized cybersecurity framework described in Subsection
192 (1)(b)(iii), the publication date stated in the revision.
193 (b) If a covered entity conforms to a combination of industry recognized cybersecurity
194 frameworks described Subsection (1)(a) and final revisions are published for more than one of
195 the industry recognized cybersecurity frameworks to which the covered entity conforms, the
196 covered entity shall reasonably comply with all of the industry recognized cybersecurity
197 frameworks no later than one year after the latest publication date stated in the final revisions
198 for the industry recognized cybersecurity frameworks.
199 Section 4. Section 78B-4-704 is enacted to read:
200 78B-4-704. No cause of action.
201 This part does not create a private cause of action, including a class action, if a covered
202 entity fails to comply with a provision of this part.
203 Section 5. Section 78B-4-705 is enacted to read:
204 78B-4-705. Severability clause.
205 If any provision of this part, or the application of any provision of this part to any
206 person or circumstance, is held invalid, the remainder of this part shall be given effect without
207 the invalid provision or application.