Representative Marc K. Roberts proposes the following substitute bill:


1     
DATA PRIVACY AMENDMENTS

2     
2020 GENERAL SESSION

3     
STATE OF UTAH

4     
Chief Sponsor: Marc K. Roberts

5     
Senate Sponsor: Todd Weiler

6     

7     LONG TITLE
8     General Description:
9          This bill creates affirmative defenses to certain causes of action arising out of a data
10     breach.
11     Highlighted Provisions:
12          This bill:
13          ▸     defines terms;
14          ▸     creates affirmative defenses to causes of action arising out a data breach involving
15     personal information, restricted information, or both personal information and
16     restricted information;
17          ▸     provides that an entity may not claim an affirmative defense if the entity had notice
18     of a threat or hazard;
19          ▸     establishes the requirements for asserting an affirmative defense;
20          ▸     provides that the creation of an affirmative defense does not create a cause of action
21     for failure to comply with the requirements for asserting the affirmative defense;
22     and
23          ▸     provides a severability clause.
24     Money Appropriated in this Bill:
25          None

26     Other Special Clauses:
27          None
28     Utah Code Sections Affected:
29     ENACTS:
30          78B-4-701, Utah Code Annotated 1953
31          78B-4-702, Utah Code Annotated 1953
32          78B-4-703, Utah Code Annotated 1953
33          78B-4-704, Utah Code Annotated 1953
34          78B-4-705, Utah Code Annotated 1953
35     

36     Be it enacted by the Legislature of the state of Utah:
37          Section 1. Section 78B-4-701 is enacted to read:
38     
Part 7. Cybersecurity Affirmative Defense Act

39          78B-4-701. Definitions.
40          As used in this part:
41          (1) (a) "Business" means:
42          (i) an association;
43          (ii) a corporation;
44          (iii) a limited liability company;
45          (iv) a limited liability partnership;
46          (v) a sole proprietorship;
47          (vi) another group, however organized and whether operating for profit or not for
48     profit; or
49          (vii) a parent or subsidiary of any of the entities described in Subsections (1)(a)(i)
50     through (vi).
51          (b) "Business" includes a financial institution organized, chartered, or holding a license
52     authorizing operation under the laws of this state, another state, or another country.
53          (2) "Covered entity" means a business that accesses, maintains, communicates, or
54     processes personal information or restricted information in or through one or more systems,
55     networks, or services located in or outside of this state.
56          (3) (a) "Data breach" means the unauthorized access to or acquisition of electronic data

57     that:
58          (i) compromises the security or confidentiality of personal information or restricted
59     information owned by or licensed to a covered entity; and
60          (ii) causes, is reasonably believed to have caused, or is reasonably believed will cause a
61     material risk of identity theft or other fraud to an individual or an individual's property.
62          (b) "Data breach" does not include:
63          (i) good faith acquisition of personal information or restricted information by the
64     covered entity's employee or agent for a purpose of the covered entity if the personal
65     information or restricted information is not used for an unlawful purpose or subjected to further
66     unauthorized disclosure; or
67          (ii) acquisition of personal information or restricted information pursuant to:
68          (A) a search warrant, subpoena, or other court order; or
69          (B) a subpoena, order, or duty of a federal or state agency.
70          (4) (a) "Data item" means:
71          (i) a social security number;
72          (ii) a driver license number or state identification number; or
73          (iii) a financial account number or credit or debit card number when combined with
74     any required security code, access code, or password that is necessary to permit access to an
75     individual's financial account.
76          (b) "Data item" does not include an item described in Subsection (4)(a) if the item is
77     encrypted, redacted, or altered by any method or technology that makes the item unreadable.
78          (5) "Encrypted" means transformed, using an algorithmic process, into a form that has
79     a low probability of assigning meaning without the use of a confidential process, access key, or
80     password.
81          (6) "Individual's name" means:
82          (a) the individual's first name and last name; or
83          (b) the individual's last name and the initial of the individual's first name.
84          (7) "PCI data security standard" means the Payment Card Industry Data Security
85     Standard.
86          (8) (a) "Personal information" means an individual's name when combined with one or
87     more data items.

88          (b) "Personal information" does not include publicly available information that is
89     lawfully made available to the general public from federal, state, or local records or any of the
90     following media that are widely distributed:
91          (i) a news, editorial, or advertising statement published in a bona fide newspaper,
92     journal, magazine, or broadcast over radio or television;
93          (ii) a gathering or furnishing of information or news by a bona fide reporter,
94     correspondent, or news bureau to news media described in Subsection (8)(b)(i);
95          (iii) a publication designed for and distributed to members of a bona fide association or
96     charitable or fraternal nonprofit corporation; or
97          (iv) any type of media that is substantially similar in nature to any item, entity, or
98     activity described in Subsections (8)(b)(i) through (iii).
99          (9) "Redact" means to alter or truncate a data item so that no more than the last four
100     digits of a social security number, driver license number, state identification number, financial
101     account number, or credit or debit card number is accessible.
102          (10) "Restricted information" means any information, other than personal information,
103     about an individual that:
104          (a) (i) alone, or in combination with other information, including personal information,
105     can be used to distinguish or trace the individual's identity; or
106          (ii) is linked or linkable to an individual;
107          (b) is not encrypted, redacted, or altered by a method or a technology that makes the
108     information unreadable; and
109          (c) if accessed or acquired without authority, is likely to result in a material risk of
110     identity theft or fraud to the individual or the individual's property.
111          Section 2. Section 78B-4-702 is enacted to read:
112          78B-4-702. Affirmative defense for a data breach of cyber data.
113          (1) A covered entity that creates, maintains, and complies with a written cybersecurity
114     program that meets the requirements of Subsection (5) and is in place at the time of a data
115     breach of the covered entity has an affirmative defense to a claim that:
116          (a) is brought under the laws of this state or in the courts of this state;
117          (b) alleges that the covered entity failed to implement reasonable information security
118     controls;

119          (c) alleges that the failure described in Subsection (1)(b) resulted in a data breach of
120     personal information; and
121          (d) does not allege a data breach of restricted information.
122          (2) A covered entity that creates, maintains, and complies with a written cybersecurity
123     program that meets the requirements of Subsection (6) and is in place at the time of a data
124     breach of the covered entity has an affirmative defense to a claim that:
125          (a) is brought under the laws of this state or in the courts of this state; and
126          (b) alleges that the covered entity failed to implement reasonable information security
127     controls that resulted in a data breach of personal information and restricted information.
128          (3) A covered entity has an affirmative defense to a claim that the covered entity failed
129     to appropriately respond to a data breach if:
130          (a) (i) for a data breach of personal information, the covered entity creates, maintains,
131     and complies with a written cybersecurity program that meets the requirements of Subsection
132     (5) and is in place at the time of the data breach; or
133          (ii) for a data breach of personal information and restricted information, the covered
134     entity creates, maintains, and complies with a written cybersecurity program that meets the
135     requirements of Subsection (6) and is in place at the time of the data breach; and
136          (b) the written cybersecurity program had protocols at the time of the data breach for
137     responding to a data breach that complied with the written cybersecurity program under
138     Subsection (3)(a) and the covered entity followed the protocols.
139          (4) A covered entity has an affirmative defense to a claim that the covered entity failed
140     to appropriately notify an individual whose personal information or restricted information was
141     compromised in a data breach if:
142          (a) (i) for a data breach of personal information, the covered entity creates, maintains,
143     and complies with a written cybersecurity program that meets the requirements of Subsection
144     (5) and is in place at the time of the data breach; or
145          (ii) for a data breach of personal information and restricted information, the covered
146     entity creates, maintains, and complies with a written cybersecurity program that meets the
147     requirements of Subsection (6) and is in place at the time of the data breach; and
148          (b) the written cybersecurity program had protocols at the time of the data breach for
149     notifying an individual about a data breach that complied with the requirements for a written

150     cybersecurity program under Subsection (4)(a) and the covered entity followed the protocols.
151          (5) A written cybersecurity program described in Subsections (1) and (2) shall contain
152     administrative, technical, and physical safeguards to protect personal information, including:
153          (a) being designed to:
154          (i) protect the security and confidentiality of personal information;
155          (ii) protect against any anticipated threat or hazard to the security or integrity of
156     personal information; and
157          (iii) protect against a data breach of personal information;
158          (b) conforming to an industry recognized cybersecurity framework as described in
159     Section 78B-4-703; and
160          (c) being of an appropriate scale and scope in light of the following factors:
161          (i) the size and complexity of the covered entity;
162          (ii) the nature and scope of the activities of the covered entity;
163          (iii) the sensitivity of the information to be protected;
164          (iv) the cost and availability of tools to improve information security and reduce
165     vulnerability; and
166          (v) the resources available to the covered entity.
167          (6) A written cybersecurity program described in Subsection (2) shall meet the
168     requirements described in Subsection (5), except that the requirements of Subsection (5) shall
169     apply to both personal information and restricted information.
170          (7) A covered entity may not claim an affirmative defense under Subsections (1), (2),
171     (3), or (4) if:
172          (a) the covered entity had actual notice of a threat or hazard to the security or integrity
173     of personal information or restricted information;
174          (b) the covered entity did not act in a reasonable amount of time to take known
175     remedial efforts to protect the information against the threat or hazard; and
176          (c) the threat or hazard resulted in the data breach.
177          Section 3. Section 78B-4-703 is enacted to read:
178          78B-4-703. Components of a cybersecurity program eligible for an affirmative
179     defense.
180          (1) Subject to Subsection (2), a covered entity's written cybersecurity program

181     conforms to an industry recognized cybersecurity framework if the written cybersecurity
182     program:
183          (a) is designed to protect the type of personal information and restricted information
184     obtained in the data breach;
185          (b) conforms to the current version of any of the following frameworks or publications,
186     or any combination of the following frameworks or publications:
187          (i) NIST special publication 800-171;
188          (ii) NIST special publications 800-53 and 800-53a;
189          (iii) the Federal Risk and Authorization Management Program Security Assessment
190     Framework;
191          (iv) the Center for Internet Security Critical Security Controls for Effective Cyber
192     Defense; or
193          (v) the International Organization for Standardization/International Electrotechnical
194     Commission 27000 Family - Information security management systems;
195          (c) for personal information or restricted information obtained in the data breach that is
196     regulated by the federal government or state government, complies with the requirements of the
197     regulation, including:
198          (i) the security requirements of the Health Insurance Portability and Accountability Act
199     of 1996, as described in 45 C.F.R. Part 164, Subpart C;
200          (ii) Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, as amended;
201          (iii) the Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283;
202          (iv) the Health Information Technology for Economic and Clinical Health Act, as set
203     forth in 45 C.F.R. Part 164;
204          (v) Title 13, Chapter 44, Protection of Personal Information Act; or
205          (vi) any other applicable federal or state regulation; and
206          (d) for personal information or restricted information obtained in the data breach that is
207     the type of information intended to be protected by the PCI data security standard, complies
208     with the current version of the PCI data security standard.
209          (2) If an industry recognized cybersecurity framework described in Subsection (1) is
210     revised, a covered entity with a written cybersecurity program that relies upon that industry
211     recognized cybersecurity framework shall conform to the revised version of the framework in a

212     reasonable amount of time, taking into consideration the urgency of the revision in terms of:
213          (a) risks to the security of personal information or restricted information;
214          (b) the cost and effort of complying with the revised version; and
215          (c) any other relevant factor.
216          Section 4. Section 78B-4-704 is enacted to read:
217          78B-4-704. No cause of action.
218          This part does not create a private cause of action, including a class action, if a covered
219     entity fails to comply with a provision of this part.
220          Section 5. Section 78B-4-705 is enacted to read:
221          78B-4-705. Severability clause.
222          If any provision of this part, or the application of any provision of this part to any
223     person or circumstance, is held invalid, the remainder of this part shall be given effect without
224     the invalid provision or application.