ST. GEORGE — A bill making its way through the Utah Legislature that saw its first appearance a year ago is aiming at giving businesses legal protection for following specific data security guidelines in the event of a breach, something which the bill’s sponsor says will raise the bar on consumer data security as a whole.
Data Security Amendments, designated as HB 80 in the 2021 Utah Legislatures and sponsored by Rep. Walt Brooks, R-St. George, creates an affirmative defense for businesses that follow national guidelines for data security but still are victimized by hacking that could expose sensitive personal data.
The bill received a favorable recommendation after unanimously passing the House Business and Labor Committee on Monday and is the calendar for a vote in the House.
Brooks gave St. George News an analogy by way of explaining the legislation. He posited a situation where a person has borrowed something belonging to a neighbor, but then someone breaks into the person’s house and steals that neighbor’s belonging.
“Your neighbor can’t necessarily sue you because someone made you a victim, but they still have repercussions,” he said, adding another scenario. “If someone gets your credit card data, the credit card company is still going to make sure you’re not liable for those things. You, yourself are doing everything you can, so you have a baseline, affirmative defense.”
Tying this to the proposed legislation, if a company is doing everything they can by meeting security guidelines but the company’s data is hacked, that company will have an affirmative defense. The bill gives Utah businesses that store data under available guidelines legal reassurance rather than taking a purely punitive approach. It does not remove liability from companies that are not compliant with the standards.
Brooks said the bill is designed to create a standard that he believes will elevate overall data security because businesses currently prefer to risk a data breach rather than spend to enforce security due to high costs. The baseline will be determined by contemporary national standards that are updated regularly.
The standards are based upon those released by the National Institute of Standards and Technology and the Federal Risk and Authorization Management Program Security Assessment Framework amongst several others or an “industry recognized cybersecurity framework.” Brooks said the bill was written with the intention to be flexible with newer guidelines and standards in the ever-changing cybersecurity field.
Data Security Amendments was originally introduced in the 2020 legislative session by then Rep. Marc Roberts of District 67. The bill advanced from the H0use to the Senate but timed out with the session on March 12, 2020.
With Roberts out of office, he asked Brooks to assume running the bill this session.
HB 80 is being supported by Andrew Kingman, general counsel of the State Privacy and Security Coalition, a national advocacy group on consumer data.
“We believe that this is a really good tool to protect consumers by incentivizing businesses to take seriously their cybersecurity planning,” Kingman said in public comments to the House Business and Labor Committee on Monday. “I think Utah can establish itself as a real leader in this field by moving this bill forward.”
The coalition backed the bill despite the general cost of reaching compliance to businesses stretching into thousands of dollars. With HB 80, businesses that work hard and spend to reach general compliance are rewarded with the knowledge that they will be protected in the event of a breach. According to the Identity Theft Resource Center, there were 1,108 breaches and data exposures in 2020, impacting 300 million people.
To Brooks, it would be a win for all consumers as all industries see their security levels boosted.
“It kind of drives people to get up to those standards because it’s not cheap,” Brooks said. “As they do that, we feel that the standards as a whole, the citizens as a whole, their data will be more secure. I’ve seen that in my own (health) industry. … If everybody’s on board, dedicated to making sure your personal health information is more protected, more and more people are doing it. We fix everybody in the industry overall.”
HB 80 is scheduled for a vote in the House. If it passes, it will move to the Senate for consideration.
For a complete list of contacts for Southern Utah representatives and senators, click here.
Check out all of St. George News’ coverage of the 2021 Utah Legislature here.
Copyright St. George News, SaintGeorgeUtah.com LLC, 2021, all rights reserved.