Updates to Chapter 12
State Cybersecurity Statutes and Regulations
UPDATES TO THE SECOND EDITION
12.2 Generally Applicable State Statutes Requiring Reasonable Security
Comprehensive Texas and Oregon privacy laws with cybersecurity provisions took effect on July 1, 2024, along with the Florida law that applies to a few very large tech companies.
12.2.3.3 Statutory Damages under California’s Cybersecurity Law
The CCPA provides that any consumer whose personal information is subject to exfiltration "as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices … may institute a civil action." Cal. Civ. Code § 1798.150(a)(1) (emphasis added). On the other hand, Cal. Civ. Code § 1798.155(b) states that actions against “service providers” that violate the CCPA shall be brought "in a civil action brought in the name of the people of the State of California by the Attorney General." The CCPA defines "business" as an entity including a for-profit corporation "that collects consumers' personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information." Cal. Civ. Code § 1798.140(c)(1). It defines "service provider" as an entity "that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract." Cal. Civ. Code § 1798.140(v).
There is often disagreement as to whether an entity is a “business” or a “service provider.” In Karter v. Epiq Sys., Inc., 2021 WL 4353274, at *2 (C.D. Cal. July 16, 2021), the court stated that “Plaintiff can only state a claim against Defendants if they are businesses, not service providers,” but it went on to conclude that plaintiff had adequately alleged that the defendant was a business, even though the business of the defendant was to “administer[] class action and mass tort settlements and judgments for litigants and courts," performing "functions including providing notice to class members, receiving and processing opt-outs, and managing claims databases." “[T]o qualify as a ‘business’ under the CCPA, the entity must both (1) collect PII and (2) determine why and how (‘the purposes and means’) the PII should be processed.” In re Accellion, 713 F. Supp. 3d 623, 640 (N.D. Cal. Jan. 29, 2024). In an extensive discussion, the court concluded that Accellion was not a business: “Without any allegations as to what Accellion decides or ‘determines’ with respect to processing Plaintiffs' PII, the Court cannot find that the Complaint has alleged that Accellion is a ‘business’ for the purposes of the CCPA.” At least one court has held that “business” and “service provider” are not mutually exclusive categories. In re Blackbaud, Inc., Customer Data Breach Litig., 2021 WL 3568394, at 5-6 (D.S.C. Aug. 12, 2021) (“Because Blackbaud could be both a ‘service provider’ and a ‘business’ under the CCPA, it would not be insulated from liability under the CCPA if it qualified as a ‘service provider.’”).
12.2.12A Kentucky
On April 4, 2024, the governor of Kentucky signed the Kentucky Consumer Data Protection Act, to be codified in KRS Chapter 367. Like other state privacy laws, the act requires data controllers to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” The data security practices shall be appropriate to the volume and nature of the personal data at issue. Also like the other state laws, it requires processors “[t]aking into account the nature of processing and the information available to the processor” to assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732. Controllers shall conduct and document a data protection impact assessment of certain activities, including any processing of personal data that presents a heightened risk of harm to consumers. The Attorney General shall have exclusive authority to enforce violations of the Act. Further, the Act expressly states that “[n]othing in Sections 1 to 10 of this Act or any other law, regulation, or the equivalent shall be construed as providing the basis for, or give rise to, a private right of action for violations of Sections 1 to 10 of this Act.” The Act takes effect January 1, 2026.
12.2.14 Maryland
On May 9, 2024, the Maryland governor signed a comprehensive consumer privacy law that contained a data security requirement. The statute will require covered businesses to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.” The bill also requires a controller to contractually require its processors to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, considering the volume and nature of the personal data.” Further, a processor must assist the controller in meeting the controller’s obligations “in relation to the security of processing the personal data and in relation to the notification of a breach of the security of a system.”
Like other recent state privacy laws, the Maryland law requires a controller to conduct and document, on a regular basis, a data protection assessment for each of the controller’s processing activities that present a heightened risk of harm to a consumer. Such assessment shall identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, the consumer, other interested parties, and the public against the potential risks to the rights of the consumer as mitigated by safeguards that may be employed by the controller and the necessity and proportionality of processing in relation to its stated purpose.
The Maryland law contains stringent data minimization requirements. First, a controller shall limit the collection of personal data to what is “reasonably necessary and proportionate” to provide or maintain a specific product or service requested by the consumer. Second, controllers may not collect, process or share sensitive data concerning a consumer unless such collection or processing is “strictly necessary” to provide or maintain a specific product or service requested by the consumer. Minimization is related to security, since the less data an entity collects, the less it is responsible for protecting.
Maryland already had a reasonable security measures law, but the new statute has its own definition of personal information and its own extensive set of exclusions and exemptions.
12.2.15A Minnesota
On May 24, 2024, the Minnesota governor signed the Minnesota Consumer Data Privacy Act as part of a broader omnibus bill, HF 4757. The law will take effect will take effect on July 31, 2025.
Under Subdivision 2 of Sec. 8, 325O.07, a controller “shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue.”
Under Section 10, 325O.08, a controller must document and maintain a description of the policies and procedures the controller has adopted to comply with the act, including a description of any policies and procedures designed to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise its responsibilities.
Under Section 5, 325O.04, “taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08.” The section goes on to say, “Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures”.
In a provision relevant to cloud services, Section 5 also specifies that the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor’s expense, an assessment of the processor’s policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request.
A controller must conduct and document a data privacy and protection assessment for certain processing activities involving personal data, including any that present a heightened risk of harm to consumers.
12.2.17 Nebraska
On April 17, 2024, the Nebraska governor signed a comprehensive privacy law, which becomes effective on January 1, 2025. Unlike many of the new generation of state privacy laws, the law does not have an applicability threshold based on volume of data collected. Instead, following the Texas model, it applies to any person that conducts business in Nebraska or produces a product or service consumed by Nebraska residents and processes or engages in the sale of personal data and is not a small business under the federal Small Business Act (although even small businesses are prohibited from selling sensitive personal data without receiving prior consent from the consumer). The law’s data security requirement provides that a controller, “[f]or purposes of protecting the confidentiality, integrity, and accessibility of personal data, shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.” It also includes a data minimization requirement: A controller must limit its collection of personal data to “what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer.” Like other state laws, it includes many exclusions: It does not apply to government agencies, financial institutions, HIPAA-covered entitles, non-profits, institutions of higher education, or electric or gas utilities, and it excludes 17 defined categories of data, including employment data. The Nebraska Attorney General will have exclusive authority to enforce the Act. Before bringing an action, the Attorney General shall notify the controller or processor and provide a 30-day cure period. The Attorney General may not bring an action if, within the 30-day period, the controller or processor cures the identified violation.
12.2.18A New Hampshire
On March 6, 2024, Governor Chris Sununu signed into law SB 255, making New Hampshire the 15th state with a comprehensive privacy law. Like other recent state comprehensive privacy laws, it requires controllers to establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue. Also like other state laws, it requires data processors, “[t]aking into account the nature of processing and the information available to the processor,” to assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security or of the system of the processor, in order to meet the controller's obligations.
Under 507-H:11, nothing in new law shall be construed as providing the basis for, or be subject to, a private right of action for violations under this chapter or any other law. A violation of the new law shall constitute an unfair method of competition or any unfair or deceptive act or practice in the conduct of any trade or commerce under RSA 358-A:2 and shall be enforced by the attorney general. The act takes effect January 1, 2025.
12.2.24 Rhode Island
In June, 2024, Rhode Island adopted the Rhode Island Data Transparency and Privacy Protection Act, to take effect on January 1, 2026. The statute requires that a controller “shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.” A separate provision provides: “Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data.” 6-48.1-7(s).
The law does not directly impose a cybersecurity obligation on processors. Instead, it provides that a processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. In addition, a contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller.
Like other new generation state privacy laws, the Rhode Island act requires controllers to conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a customer, defined to include any processing of sensitive data.
Like other similar state laws, the act exempts certain types of entities, § 6-48.1-3(d); many classes of data, §§ 6-48.1-3(e) and 6-48.1-10); and many uses of data §§ 6-48.1-7(o), (p), and (s).
The state attorney general shall have sole enforcement authority. Section 6-48.1-8 goes on to say that “nothing in this section shall be construed to authorize any private right of action to enforce any provision of this chapter, any regulation hereunder, or any other provisions of law.”
12.3 Sector- or Data-Specific State Statutes and Regulations
12.3.7 Electric Utilities
In February 2024, the National Association of Regulatory Utility Commissioners and the U.S. Department of Energy issued a set of cybersecurity baselines for electric distribution systems and distributed energy resources (DER) that connect to them. NARUC described the baselines as “recommendations,” saying that they defined the minimum set of cybersecurity controls that should be considered, without defining any specific procedures or technologies on how any specific baselines might be met. NARUC indicated that it planned to develop implementation guidance. The baselines and implementation guidance are intended as resources for state public utility commissions, utilities, and DER operators and aggregators, suggesting that they could be adopted by state utility regulators.
12.3.8 Financial Services—New York
On October 16, 2024, the New York State Department of Financial Services (DFS) issued guidance for regulated entities on addressing cybersecurity risks arising from artificial intelligence. The guidance does not impose new requirements, but rather addresses how DFS-regulated institutions can meet their existing obligations under the Department’s cybersecurity regulation in light of evolving risks from AI. In essence, it says that entities must consider AI-related risks in their risk assessment and in their development of cybersecurity controls. The guidance calls out four risks in particular, two (social engineering and enhanced cyber-attacks) arising from threat actors’ use of AI and two (theft of nonpublic information and increased vulnerabilities due to supply chain dependencies) caused by an entity’s use of or reliance upon AI. The guidance touches on: how, when designing their risk assessments, covered entities should address AI-related risks; third-party service provider and vendor management; access controls; cybersecurity training; monitoring; and data management.
12.3.8A Hospitals—New York
In October 2024, the New York State Department of Health adopted cybersecurity regulations for hospitals, adding a new section 405.46 to Title 10 NYCRR. The regulation, applicable to all general hospitals licensed pursuant to article 28 of the state’s Public Health Law, starts with the requirement that each hospital shall establish a cybersecurity program based on a risk assessment. The cybersecurity program shall be designed to (i) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the hospital's information systems and the continuity of the hospital's business and operations; (ii) use defensive infrastructure and the implementation of policies and procedures to protect the hospital's information systems, the continuity of the hospital's business and operations, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts; (iii) detect cybersecurity events; (iv) respond to identified or detected cybersecurity events to mitigate any negative effects; and (v) recover from cybersecurity events and incidents and restore normal operations and services.
The regulation is very detailed, and seems to be based to some degree on the state’s regulations for financial institutions. Practitioners should examine the entire rule. What follows is just a summary of highlights.
Each cybersecurity program shall include specified elements, including:
Limit user access privileges to information systems.
Ensure the use of secure development practices for in-house developed applications utilized by the hospital, and procedures for evaluating, assessing and testing the security of externally developed applications utilized by the hospital.
Security measures and controls, including encryption, to protect nonpublic information held or transmitted by the hospital, both in transit over external networks and at rest. To the extent a hospital determines that encryption is infeasible, the hospital shall instead secure such nonpublic information using effective compensating controls.
Security controls to mitigate risks arising from electronic mail-based threats, including but not limited to spoofing, phishing, and fraud.
Monitoring and testing.
Audit trails and records maintenance.
The hospital's cybersecurity policy shall be approved by the hospital's governing body. The CISO of each hospital shall report in writing, at least annually to the hospital's governing body, on the hospital's cybersecurity program and material cybersecurity risks
In addition, hospitals must have cybersecurity policies based on the hospital's risk assessment that address, at a minimum, the following topics:
(i) information security;
(ii) data governance and classification;
(iii) asset inventory and device management;
(iv) access controls and identity management;
(v) business continuity and disaster recovery planning and resources;
(vi) systems operations and availability concerns;
(vii) systems and network security;
(viii) systems and network monitoring;
(ix) systems and application development and quality assurance;
(x) physical security and environmental controls;
(xi) patient data privacy;
(xii) vendor and third-party service provider management;
(xiii) risk assessment as defined in subdivision (h) of this section;
(xiv) training and monitoring as defined in subdivision (1) of this section; and
(xv) overall incident response as defined in subdivision (m) of this section;
Each hospital shall implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service provider.
12.3.13 Scrap Metal Dealers
Yes, Minnesota has a statute specifically requiring scrap metal dealers to implement “reasonable safeguards” to protect the security of the personal information they collect and “prevent unauthorized access to or disclosure of the information.” 2024 Minnesota Statutes 325E.21, subdivision 1b(f). The requirement makes sense in context: In an effort to reduce thefts of autos and catalytic converters, Minnesota adopted a law, effective August 1, 2024, requiring scrap metal dealers to collect and report to the Bureau of Criminal Apprehension within the Department of Public Safety certain information about the used cars and parts they purchase. That led someone to worry about the confidentiality of the data and hence the new data security provision. Like other sector-specific measures, it overlaps with the data security obligation in the Minnesota consumer privacy law. See Chapter 12.2.15A above.
12.5 Equipment and App Bans
In December 2023, a federal district court upheld the Texas TikTok ban against a First Amendment challenge. Coalition for Independent Technology Research v. Abbott (W.D. Tex. Dec. 11, 2023). Plaintiff, a group of “academics, journalists, civil society researchers, and community scientists,” brought suit challenging Texas's TikTok ban “as applied to faculty at public universities.” The court found that the plaintiff’s members had First Amendment rights as academics and public employees. Indeed, the court said, “academic freedom receives extra protection under the law.” However, the court found that the ban is not a restraint on speech in a public forum, but rather a restriction on a nonpublic forum, subject to much less searching scrutiny: “Texas's TikTok ban is limiting the use of an app on state-provided devices and networks, which is not a blanket prohibition. Public university faculty—and all public employees—are free to use TikTok on their personal devices (as long as such devices are not used to access state networks).” “[T]he ban relates to Texas's regulation of its own governmental property.” The touchstone of nonpublic forum analysis is whether the restriction is reasonable in light of the purpose which the forum at issue serves. Within that framework, the court easily found the restriction, which it emphasized was viewpoint-neutral, to be reasonable, in light of Texas’ concerns about privacy and security.
______________________________________________________________
ARCHIVED UPDATES TO THE FIRST EDITION (last updated: January 13, 2023), INCORPORATED INTO THE SECOND EDITION
12.2.3.1 Statutory Damages under California’s Cybersecurity Law
In Gardiner v. Walmart Inc., 2021 U.S. Dist. LEXIS 75079, 2021 WL 2520103 (N.D. Ca. March 5, 2021), the court dismissed a CCPA claim where the plaintiff had not adequately alleged the disclosure of personal information as defined by the statute.
12.2.4 – Colorado
In 2021, Colorado’s governor signed a comprehensive privacy law, Senate Bill 21-190. It added a new part 13 to article 1 of title 6 of the Colorado Revised Statutes. Section 6-1-1308(5) states:
(5) Duty of care. A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.
Section 6-1-1310 specifies that the new law does not authorize a private right of action, nor does it relieve any party from any duties or obligations imposed, nor alter any independent rights that consumers have, under other laws. Under 6-1-1311, the state attorney general and district attorneys have exclusive authority to enforce the new law. Twenty-one categories of data are exempted from the law, mostly data regulated under other laws, state or federal. A violation of the new law is a deceptive trade practice, but only for purposes of enforcement by the state AG or district attorney.
Under Section 6-1-1309 of the law, a controller shall not conduct processing of sensitive data (defined in 6-1-1303(24)) without conducting and documenting a data protection assessment that identifies and weighs the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks.
The new law includes a cure provisions:
Prior to any enforcement action pursuant to subsection (1)(a) of this section, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within sixty days after receipt of the notice of violation, an action may be brought pursuant to this section. This subsection (1)(d) is repealed, effective January 1, 2025.
The new law sits parallel to Colorado’s existing data security law, 6-1-713.5. The difference is that the new Colorado law has a much broader definition of personal data:
“Personal data”: (a) means information that is linked or reasonably linkable to an identified or identifiable individual; and (b) does not include de-identified data or publicly available information.
[New subchapter:] 12.2.4A – Connecticut
12.2.4A.1 Reasonable Security Provision
In June 2022, Connecticut became the 23rd state to adopt a reasonable security measures requirement. The cybersecurity language is included in “An Act Concerning Personal Data Privacy and Online Monitoring,” Connecticut’s new comprehensive consumer privacy law. Like other recent state consumer privacy laws, the Act uses the controller/processor language of the EU. Section 6(3) of the Act states that a controller shall:
establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue;
Section 7 of the Act states a processor shall, “taking into account the nature of processing and the information available to the processor, [assist] the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security … of the system of the processor, in order to meet the controller's obligations.”
The law has very expansive exemptions. See James Dempsey, Exceptions in new US state privacy laws leave data without security coverage, IAPP (May 17, 2022).
The Act becomes effective on July 1, 2023. There is no private right of action: “The Attorney General shall have exclusive authority to enforce violations of sections 1 to 10, inclusive, of this act.” Further: “Nothing in sections 1 to 10, inclusive, of this act shall be construed as providing the basis for, or be subject to, a private right of action for violations of said sections or any other law.” Still further: “A violation of … this act shall constitute an unfair trade practice for purposes of section 42-110b of the general statutes and shall be enforced solely by the Attorney General, provided the provisions of section 42-110g of the general statutes shall not apply to such violation.”
During the period July 1, 2023 through December 31, 2024, prior to initiating any action for a violation of the Act, the Attorney General must issue a notice of violation to the controller if the Attorney General determines that a cure is possible. Only if the controller fails to cure the violation within sixty days may the Attorney General bring an enforcement action. Beginning on January 1, 2025, the Attorney General will have discretion to grant controllers and processors the opportunity to cure, based on a variety of factors spelled out in Section 11(c) of the Act.
12.2.4A.2 Safe Harbor
A separate Connecticut law, PA 21-119, tries to answer the question of how much security is “reasonable.” It does so, not unwisely, by referencing in subsection (c) some familiar standards: the NIST Framework for critical infrastructure, NIST SP-800-171, NIST SP 800-53 and 53a, the FedRAMP Security Assessment Framework, the Center for Internet Security’s Critical Security Controls, or the ISO/IEC 27000-series. (This is the same list in the Ohio law discussed in Chapters 7.5 and 12.2.18.) But the Connecticut provision is confusing, in that it protects businesses only against punitive damages if they comply with one of the listed standards:
In any cause of action founded in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or restricted information, the Superior Court shall not assess punitive damages against a covered entity if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework, as described in subsection (c) of this section and that such covered entity designed its cybersecurity program in accordance with the provisions of subsection (d) of this section. The provisions of this subsection shall not apply if such failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct.
Shouldn’t compliance with one of the designated standards constitute reasonable security, such that an entity is not liable at all in tort if it complies? As written, the provision suggests that an entity could comply with one of the referenced standards and still be liable for actual damages, just not punitive damages.
Key phrases in the law are “complied with” and “conforms to.” If an entity did not comply with its own cybersecurity program (and many entities don’t) or if the program falls short of the referenced standard, punitive damages are still available. And whether a program in fact conforms with one of the referenced standards and whether the program was in fact complied with seem to be litigable issues. The language about “gross negligence or wilful or wanton conduct” seems inapplicable if the basic standard of the safe harbor—“complied with” and “conforms to”—is not met.
The statute also protects against punitive damages entities regulated under HIPAA, Gramm-Leach-Bliley, the Federal Information Security Modernization Act, or the HITECH Act.
The law took effect October 1, 2021.
12.2.22.1 Utah Cybersecurity Affirmative Defense
In March, 2021, Utah’s governor signed into law H.B. 80, the Cybersecurity Affirmative Defense Act. The bill added a new Part 7 to Chapter 4 of Title 78B of the Utah Code, 78B-4-701 through 78B-4-706. It provides a series of affirmative defenses to companies that create, maintain, and reasonably comply with a written cybersecurity program meeting certain criteria. The bill in some ways is similar to Ohio’s, but it is more complicated:
A person that creates, maintains, and reasonably complies with a written cybersecurity program that meets certain requirements specified in the statute has an affirmative defense to a claim that alleges that its failure to maintain reasonable information security controls resulted in a breach. 78B-4-702(1).
A person has an affirmative defense to a claim that the person failed to appropriately respond to a breach of system security if the person (a) creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements specified in the statute, and (b) its security program at the time of the breach included breach response protocols that reasonably complied with the cybersecurity program under (a) and the person followed the protocol. 78B-4-702(2).
A person has an affirmative defense to a claim that the person failed to appropriately notify individuals whose data was compromised in a breach if the person (a) creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements specified in the statute and (b) the written cybersecurity program had protocols at the time of the breach for notifying an individual about a breach that reasonably complied with the requirements for a written cybersecurity program under (a) and the person followed the protocols. 78B-4-702(3).
From there it gets complicated. Under 78B-4-702(4), in order to provide the basis for an affirmative defense, a written cybersecurity program must provide administrative, technical, and physical safeguards to protect personal information, including:
(a) being designed to:
(i) protect the security, confidentiality, and integrity of personal information;
(ii) protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and
(iii) protect against a breach of system security;
(b) reasonably conforming to a recognized cybersecurity framework as described in Subsection 78B-4-703(1); and
(c) being of an appropriate scale and scope in light of specified factors, including the size and complexity of the person and the cost and availability of tools to improve information security and reduce vulnerability
Under Subsection 78B-4-703(1), a person has four options for proving that its written cybersecurity program reasonably conforms to a recognized cybersecurity framework:
(1) if it reasonably conforms to the current version of any of the following frameworks or publications, or any combination of the following frameworks or publications:
(A) NIST special publication 800-171; (B) NIST special publications 800-53 and 800-53a; (C) the Federal Risk and Authorization Management Program Security Assessment Framework;
(D) the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or
(E) the International Organization for Standardization/International Electrotechnical Commission 27000 Family - Information security management systems;
(2) if information obtained in the breach is regulated by the federal government or state government and the person’s program reasonably complies with the requirements of the regulation, including:
(A) the HIPAA security rule;
(B) GLB;
(C) FISMA;
(D) the HITECH Act ;
(E) the Utah Protection of Personal Information Act; or
(F) any other applicable federal or state regulation;
(3) if information obtained in the breach is the type of information intended to be protected by the PCI data security standard and the person’s program reasonably complies with the current version of the PCI DSS;
(4) if —
(a) the person coordinates, or designates an employee of the person to coordinate, a program that provides the administrative, technical, and physical safeguards described in Subsections 78B-4-702(4)(a) and (c);
(b) the program under Subsection (2)(a) has practices and procedures to detect, prevent, and respond to a breach of system security;
(c) the person, or an employee of the person, trains, and manages employees in the practices and procedures under Subsection (2)(b);
(d) the person, or an employee of the person, conducts risk assessments to test and monitor the practice and procedures under Subsection (2)(b), including risk assessments on:
(i) the network and software design for the person; (ii) information processing, transmission, and storage of personal information; and
(iii) the storage and disposal of personal information; and
(e) the person adjusts the practices and procedures under Subsection (2)(b) in light of changes or new circumstances needed to protect the security, confidentiality, and integrity of personal information.
Finally, a person may not claim an affirmative defense under the statute if the person had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information; the person did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard; and the threat or hazard resulted in the breach of system security.
The purpose of the law, for defendants that invoke it, seems to be to shift the focus of litigation from the specific error that caused a breach to the totality of the defendant’s cybersecurity program. In effect, it allows an entity to argue that yes, we made a mistake and the bad guys exploited it, but it was an isolated mistake and overall we had a solid cybersecurity program. The reasonableness of the defendant’s conduct, informed by a cost-utility analysis, should be the focus of a claim in negligence anyhow, but the Utah law specifically allows the defendant to broaden the inquiry from one action or failing to the totality of the defendant’s cybersecurity program. For example, viewed in isolation, the failure to deploy a patch that would have avoided a breach may look unreasonable (see Equifax) and that is where the plaintiff will want to focus (assuming the defendant otherwise had pretty good practices). But with this law the defendant can show that it had a good security program that included patch management and it normally followed its program quite well, but just dropped the ball on that one patch, and that may support the affirmative defense. Overall, such laws are intended to incentivize entities collecting personal information to adopt comprehensive cybersecurity programs. Plaintiffs will then focus on “reasonably complies” and argue that the failure giving rise to the breach was not an isolated incident and defendant is not entitled to the affirmative defense.
12.2.22.2 Utah Consumer Privacy Act
On March 3, 2022, the Utah legislature approved a comprehensive consumer privacy law, the Utah Consumer Privacy Act (thus joining California, Colorado and Virginia in adopting comprehensive consumer privacy laws). The Utah law would add to Title 13 of the Utah Code a new Section 13-61-302 stating --
(2) (a) A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to:
(i) protect the confidentiality and integrity of personal data; and
(ii) reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.
(b) Considering the controller’s business size, scope, and type, a controller shall use data security practices that are appropriate for the volume and nature of the personal data at issue.
This seems to run parallel to the data security requirement already imposed by Utah Code 13-44-201, as discussed in the book.
The new law also addresses the duty of processors (third parties who provide any kind of data storage or other processing to a consumer-facing entity), requiring that, “taking into account the nature of the processing and information available to the processor, by appropriate technical and organizational measures, insofar as reasonably practicable, [they] assist the controller in meeting the controller's obligations, including obligations related to the security of processing personal data and notification of a breach of security system.” In addition, a controller must enter into a contract with any processor it uses that requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.
Unlike similar privacy laws adopted by Virginia and Colorado, the Utah law does not require controllers to perform data protection assessments.
The attorney general has the exclusive authority to enforce the law. At least 30 days before initiating an enforcement action, the attorney general must provide the controller or processor written notice of the alleged violation, and the attorney general may not initiate an action if the controller or processor cures the noticed violation within 30 days after receiving the notice.
The law will take effect on December 21, 2023.
12.3.9 Insurance
According to one count, the April 8, 2022 signing of Kentucky House Bill 474 brought to 21 the number of states that have adopted a version of the NAIC model law. The April 21, 2022 signing of Maryland Senate Bill 207 would bring the total to 22. Like other enactments of the NAIC model, these may have small departures from the language of the model. For example, the Maryland law requires notification to the state insurance commissioner only if the cybersecurity event has a reasonable likelihood of harming a consumer residing in the state or any material part of the normal operations of the carrier (unless notice is otherwise required to any government body, self–regulatory agency, or any other supervisory body under state or federal law).
The Maryland law takes effect October 1, 2022, but a carrier shall have until October 1, 2023, to develop, implement, and maintain a comprehensive written information security program based on the carrier’s risk assessment, and until October 1, 2024 to require their third–party service providers to implement appropriate protections for systems and information they access. Smaller carriers have an extra year on each compliance date.
The Kentucky law takes effect on January 1, 2023. Carriers have until January 1, 2024 to comply with the investigation and notification requirements and until January 1, 2025 to adopt and implement their information security programs.
12.4 Laws on Ransomware
In November 2021, North Carolina became the first jurisdiction to ban ransomware payments. The ban, limited to state and local government entities, including the University of North Carolina, prohibits even communicating with the ransomware attacker:
(a) No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident on an information technology system by encrypting data and then subsequently offering to decrypt that data in exchange for a ransom payment.
N.C. Gen. Stat. § 143-800, added by 2021 N.C. Sess. Laws 180,s. 38.13-a, effective 11/18/2021.
12.5 Equipment and App Bans
In response to concerns about the vulnerability of products and services developed by China-based companies—TikTok being the poster child—states have begun to ban their use within state government. The first such action was in 2020, when the governor of Nebraska announced in a press release that the state would block TikTok on all state electronic devices. A wave of bans began in November 2022, with about half the states acting by mid-January 2023, including Alabama, Georgia, Idaho, Iowa, Kansas, Maryland, New Hampshire, New Jersey, North Carolina, North Dakota, Oklahoma, Pennsylvania, South Carolina, South Dakota, Texas, Utah, and Wisconsin. The states utilized a variety of legal authorities. Here are some details and links on a few of the bans:
In December 2022, the Chief Information Security Officer of Maryland issued an emergency cybersecurity directive banning the use of TikTok and certain other China and Russia-based products or services in the state’s executive branch.
The directive was issued under Md. Code, State Fin. & Proc. (SF&P ) § 3.5-2A-04, which states that the Office of Security Management, headed by the State Chief Information Security Officer, is responsible for establishing security requirements for information and information systems used by the state government. Pursuant to SF&P § 3.5-2A-04(b)(6), if the State CISO determines that there are security vulnerabilities or deficiencies in any information systems, the CISO may direct or take actions necessary to correct or remediate the vulnerabilities or deficiencies, which may include requiring the information system to be disconnected.
The directive is broadly worded, stating that —
“The following vendors and products … are subject to this directive.
Huawei Technologies
ZTE Corp
Tencent Holdings, including but not limited to:
Tencent QQ
QQ Wallet
WeChat
Alibaba products, including but not limited to:
AliPay
Kaspersky
TikTok.”
The directive states that, within fourteen days of issuance, units must: remove any referenced hardware or software products from the state networks; implement measures to prevent the installation of referenced hardware and software products on State-owned or managed technology assets, and implement network-based restrictions to prevent the use of, or access to, prohibited services.
In December 2022, the governor of Texas directed that every state agency in Texas shall ban its officers and employees from downloading or using TikTok on any of its government-issued devices. The ban extended to all state-issued cell phones, laptops, tablets, desktop computers, and other devices capable of internet connectivity. The governor also ordered the Texas Department of Public Safety and the Texas Department of Information Resources to develop a model plan that other state agencies could deploy with respect to the use of TikTok on personal devices. Among other potential TikTok vulnerabilities, this model plan must address the use of personal devices by agency employees or contractors to conduct state business, such as a TikTok-enabled cell phones with remote access to an employee’s .gov email account and network-based restrictions to prevent the use of TikTok on any personal device while it is located on agency property.
In November 2022, the governor of South Dakota issued an executive order directing that no state employee or agency shall download or use the TikTok app or visit the TikTok website on government-issued devices and that no person or entity that contracts with the state shall download or use TikTok on state-owned or state-leased equipment.
In December 2022, the governor of South Carolina wrote a letter to the executive director of the state Department of Administration requesting that the social media platform TikTok be permanently removed, and access blocked from all state government electronic devices that are managed by the department.
Last updated: Nov. 20, 2024.
Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.