Understanding Utah’s Cybersecurity Affirmative Defense Act

Cybersecurity is a major concern for individuals, businesses, and government agencies alike. Cybercriminal attacks continue to grow at an alarming rate, making it important for states to write and pass legislation that empowers organizations to defend against these threats and protect organizations from legal consequences. Utah’s Cybersecurity Affirmative Defense Act is one such legislative initiative aimed at achieving this balance. The Cybersecurity Affirmative Defense Act is an example of how Utah does things differently. Rather than focusing on punitive laws for punishing businesses that don’t comply with difficult to understand legislation, Utah is using legislation to motivate businesses to invest in cybersecurity controls that protect businesses both from non-compliance and from malicious actors. Utah is leading with a carrot and not a stick. This blog post will dive into some of the key aspects of the act to help you understand its significance.

The Background

Utah’s Cybersecurity Affirmative Defense Act, which was signed by Governor Cox on May 5, 2021, is part of a new approach to cybersecurity legislation in the nation. It is Utah’s approach to encouraging business owners to invest in preventative cybersecurity controls. The act acknowledges the rapidly evolving nature of cyber threats and seeks to provide organizations with legal protections when they take proactive measures to defend against cyberattacks. These legal protections add significantly to the already large incentive to protect business against business interruption and reputation loss which result from a data breach or successful hacking effort.

Key Provisions of the Act

  1. Affirmative Defense: The primary feature of the act is the establishment of an affirmative defense for organizations that experience a data breach. In essence, if a company or entity can demonstrate “reasonable” cybersecurity controls were in place and operating prior to a “breach of security systems,” it may use this as a defense in court. There are requirements for what qualifies as “reasonable” controls, as described in the next section. This protection encourages organizations to proactively invest in cybersecurity to mitigate potential legal liabilities.
  2. “Reasonable” Cybersecurity Measures: The act does not provide a strict definition of what constitutes “reasonable” cybersecurity measures, as this can vary depending on the nature of the organization, the type of data it handles, and industry standards. Rather, it provides general guidelines that must be met, and that are flexible enough to be applied to all businesses, regardless of their size or complexity. The act recognizes alignment or compliance with widely accepted industry frameworks (e.g., CIS Top 18, ISO 27001, NIST CSF, etc.) and that alignment with an industry framework qualifies as having implemented reasonable controls. Regardless of the approach to establishing security controls, it is recommended you stay up to date with cybersecurity industry best practices and the evolving cybersecurity landscape.
  3. Support for Periodic Risk Assessments: The act also recognizes the value of proactive periodic evaluations of cybersecurity controls. It protects organizations that engage with IT consulting firms to review and assess their cybersecurity controls (perform a risk assessment) without fear that the identification of risks or program gaps will weaken a legal defense, assuming the organization acts to mitigate those risks in a reasonable timeframe. In fact, periodic risk assessments showing ongoing progress in improving cybersecurity controls are frequently used as yet another legal defense in court. Utah’s legislative recognition of the need for security reviews is another example of the legislature’s focus on implementing laws that support and encourage best business practices that work.

The Implications

Utah’s Cybersecurity Affirmative Defense Act has several important implications:

  1. Encouragement for Cybersecurity Investment: By providing legal protections to organizations that invest in cybersecurity, the act incentivizes businesses to allocate resources to protect themselves from cyber threats. This is particularly important in an era when data breaches can result in significant financial and reputational damage – currently averaging over $3 million in estimated cost for larger breaches.
  2. Legal Clarity: The act offers legal clarity to organizations regarding their responsibilities and potential defenses in the event of a data breach. This can help organizations make informed decisions about their cybersecurity strategies.
  3. Preservation of Best Business Practices: The act’s recognition of the value of periodic external cybersecurity evaluations promotes open and honest discussions between an organization, consultants, and their legal counsel. These conversations lead to more effective cybersecurity strategies, and better overall cyber protection.
  4. Adaptation to Evolving Threats: The act acknowledges that cybersecurity standards are constantly evolving, allowing organizations to adapt their cybersecurity measures in response to changing threat landscapes.


Utah’s Cybersecurity Affirmative Defense Act represents a unique approach to addressing the ever-growing threat of cyberattacks. By incentivizing organizations to invest in cybersecurity and providing legal protections when they do so, the act aims to create a safer digital environment for businesses and individuals with domicile in the state of Utah. As cyber threats continue to evolve, this and similar legislation in other states will become increasingly relevant in the ongoing battle to safeguard sensitive data and critical infrastructure.