About the author
Scott M. Giordano is an attorney with more than 20 years of legal, technology, and risk management consulting experience. An IAPP Fellow of Information Privacy and a Certified Information Security Systems Professional (CISSP), Scott serves as Spirion’s subject matter expert on multinational data protection and its intersection with technology, export compliance, internal investigations, information governance, and risk management.
On March 11, 2021 the Cybersecurity Affirmative Defense Act (H.B. 80) was signed into law by Utah governor Spencer Cox. The CADA (as I’m calling it) represents the second U.S. state-level cybersecurity incident “affirmative defense” statute to be brought into force. Ohio enacted their version, the Data Protection Act (DPA), in August of 2018; I wrote extensively about it in CPO Magazine the following year.
In litigation, an affirmative defense statute enables a defendant who meets a standard cited in the statute to defeat the lawsuit. Under the CADA, meeting the cybersecurity standard (discussed below) will defeat allegations of a failure on the part of the defendant to:
- • “[I]mplement reasonable information security controls that resulted in the breach of system security”;
- • “[A]ppropriately respond to a breach of system security”; or
- • “[A]ppropriately notify an individual whose personal information was compromised in a breach of system security[.]”
Note that the affirmative defense will not be available in an instance where “the person had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information; (ii) the person did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard; and (iii) the threat or hazard resulted in the breach of system security.” A cybersecurity risk assessment does not qualify as “actual notice” under the statute, most likely to avoid discouraging such assessments. A “person” is essentially any individual or entity that is not a government body or non-profit organization (I’ll use the terms “entity” or “corporation” for my analysis below).
The Cybersecurity Program Standard
To obtain the affirmative defense, the defendant must have previously implemented
[a] written cybersecurity program [that] shall provide administrative, technical, and physical safeguards to protect personal information, including:
- A. Being designed to:
- i. Protect the security, confidentiality, and integrity of personal information;
- ii. Protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and
- iii. Protect against a breach of system security;
- B. Reasonably conforming to a recognized cybersecurity framework…[which I’ll describe below]; and
- C. Being of an appropriate scale and scope…[to defend the enterprise; a list of parameters follow]
Statutes and regulations requiring a written information security program (or WISP) are common at the U.S. state level (with 23 NYCRR Part 500 being a leading example); however, Utah does not have one.
Cybersecurity Programs and Qualifying Frameworks
In order for a cybersecurity program to qualify for an affirmative defense, it must:
- A. Be designed to protect the type of personal information that was the subject of the breach;
- B. Be a “reasonable” security program. Such a program contains the following components:
- a) The entity who wishes to obtain the benefit of the defense designates an employee to coordinate the cybersecurity program;
- b) The program has practices and procedures to detect, prevent, and respond to a breach of system security;
- c) The entity trains, and manages employees in the program’s practices and procedures;
- d) The entity conducts risk assessments to test and monitor the program’s practice and procedures, including risk assessments on:
- i. the network and software design;
- ii. information processing, transmission, and storage of personal information; and
- iii. the storage and disposal of personal information; and
- e) The entity adjusts the practices and procedures in light of changes or new circumstances needed to protect the security, confidentiality, and integrity of personal information.
- C. Reasonably conforms to the current version of any of the following frameworks or publications, or any combination of the following frameworks or publications:
- • NIST special publication 800-171 [used for defense contractors];
- • NIST special publications 800-53 and 800-53a [used for government agencies and their contractors];
- • Federal Risk and Authorization Management Program Security Assessment Framework [i.e., FedRAMP];
- • Center for Internet Security Critical Security Controls for Effective Cyber Defense [i.e., the CIS CSC Top 20]; or
- • the ISO/IEC 27000 Family – Information security management systems [e.g., ISO/IEC 27001]
If the personal information that is the subject of the breach is regulated by the federal government or state government, then the program must reasonably comply with the requirements of that regulation, including:
- • The security requirements of HIPAA,
- • Title V of the GLBA
- • The Federal Information Security Modernization Act of 2014 [i.e., FISMA]
- • The Health Information Technology for Economic and Clinical Health Act [i.e., the HITECH Act],
- • Title 13, Chapter 44, [of the Utah] Protection of Personal Information Act; or
- • Any other applicable federal or state regulation.
Finally, in the event that the personal information that is the subject of the breach is governed by the PCI data security standard (i.e., PCI-DSS), then reasonable compliance with that standard will qualify for the affirmative defense.
The requirement of the cybersecurity program being designed to protect the “security, confidentiality, and integrity” of personal information differs slightly from the traditional “CIA triad” of “confidentiality,” “integrity,” and “availability” goals that cybersecurity professionals are familiar with; the reason for this difference isn’t clear from the text of the statute. The qualities of a “reasonable” cybersecurity program cited by the statute are consistent with other cybersecurity statutes and regulations. In particular, they are reminiscent of 23 NYCRR Part 500, which requires the appointment of Chief Information Security Officer and the conduct of periodic risk assessments. The inclusion of a requirement to adjust “practices and procedures” of the program as cybersecurity threats evolve is particularly welcome in light of constant barrage of attacks by threat actors and will likely find its way into other statutes. Finally, all of the frameworks and sectoral federal statutes cited in the statute have been in use for many years and are generally accepted as effective by cybersecurity professionals.
The one challenge for corporations who wish to benefit from the CADA is demonstrating conformity with a given framework or statute. As of this writing, the only framework that a third-party assessor can grant a certification for is ISO/IEC 27001. In the course of litigation, demonstrating conformity will come down to expert testimony offered by the defense and which will be countered by the plaintiff’s own experts. As is so often the case in civil and criminal litigation, success will turn on which side’s experts the jury or judge believes the most.
In contrast to the traditional “establish effective controls or pay the price” model of advancing protection of personal information, this model of cybersecurity legislation – creating positive incentives to prioritize effective cybersecurity programs – offers another and perhaps better path. Given the continual stream of reports of ransomware and other attacks on enterprise IT and the seeming inability of corporations to effectively resist them, this approach has as much merit as any. As of this writing, the Connecticut state legislature has its version of an affirmative defense act, H.B. 6607, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses,” winding its way through the legislative process. It would not be surprising to see similar bills appear in other state legislature calendars this year.
I’ll be interviewing the sponsor of the CADA, Utah state Representative Walt Brooks, about this new law on May 20th for Spirion’s Data Privacy Trailblazers webcast – you can sign up here.