This story appears in the December issue of Utah Business. Subscribe.

Since being passed during the 2021 Utah Legislative Session, House Bill 80 — the Cybersecurity Affirmative Defense Act — has drawn high praise from cybersecurity experts and business owners alike.

“Honestly, it is probably the best piece of legislation I’ve seen the state legislature put out,” says John Pohlman, director of information security services at Tanner LLC.

As Pohlman explains, HB80 is a business-friendly bill that motivates organizations, large and small, to invest in cybersecurity. The key benefit? If businesses can demonstrate they’ve implemented the proper security controls and data protection systems, they are shielded from lawsuits following a security breach. This is known as an affirmative defense — a legal safeguard that allows businesses to defend themselves in court by showing they were proactively working to prevent an issue.

In many states, compliance is enforced through penalties and fines. For example, California’s privacy laws impose fines on businesses for non-compliance. In contrast, HB80 encourages companies to improve cybersecurity by offering legal protection.

“Utah took the opposite approach,” Pohlman says. “The legislature said, ‘Look, we understand that people want to run their businesses and that cybersecurity needs to be more of a priority. So, we’ll incentivize an affirmative defense and support businesses that can show they’re continually investing in cybersecurity.’”

Related
Utah leads out with DAO-recognizing legislation

One of the most attractive features of HB80 is the relatively low barrier to compliance. Businesses are not required to implement expensive, cutting-edge technology. Instead, the law references the National Institute of Standards and Technology (NIST) cybersecurity framework, which outlines a set of best practices for data security. As long as a company’s cybersecurity program “reasonably conforms” to NIST guidelines or a similar approved resource, it can qualify for the affirmative defense.

“These controls are easy to follow and not particularly intrusive,” Pohlman assures. “As long as the business can show it’s performing regular risk assessments or auditing for deficiencies and trying to improve them, they’re covered.”

For example, a company might start by implementing basic measures like strong password policies, encrypting sensitive data or conducting regular vulnerability assessments. These are all relatively simple steps that align with NIST standards and can provide significant protection against cyber threats.

Importantly, the standard for compliance isn’t one-size-fits-all. While large tech companies or retail giants might need to audit their systems two or three times a year, small businesses aren’t held to the same frequent schedule. In fact, a small mom-and-pop shop could get by with audits every other year, as long as it can document that it is investing in cybersecurity and actively addressing any identified weaknesses.

“It’s not an expensive investment either,” Pohlman says. He estimates that spending less than $10,000 on a third-party audit and a five-year cybersecurity plan can bring most businesses into compliance.

It’s money well spent, he notes, and more businesses should take advantage of this legislative power. Unfortunately, many companies still hesitate to act.

“There’s a lot of fear and speculation that everyone’s getting hacked, so businesses aren’t doing anything,” Pohlman observes. He regularly encourages his clients to take advantage of HB80’s protections. “The state of Utah is saying, ‘Hey, look, we know it’s going to happen. If you can show you’re continually improving and investing in IT security controls, we’ll stand behind you in court.’”