SB 1421

CYBERSECURITY PROGRAM This bill requires a business that accesses, receives, stores, maintains, communicates, or processes personal information, personal health information, or restricted information in or through one or more system s, networks, or services located in or outside of this state ("covered entity"") seeking an affirmative defense under this bill to create, maintain, and comply with a written cybersecurity program that contains administrative, technical, operational, and ph ysical safeguards for the protection of both personal information, personal health information, and restricted information at the time of the breach. The program must be designed to do all of the following:  Protect against a breach of security .  Protect the security and integrity of personal information, personal health information, and restricted information .  Protect against any anticipated threat to the security or integrity of personal information, personal health information, and restricted information .  Continually evaluate and mitigate any reasonably anticipated internal or external threats or hazards that could lead to a data breach, including conducting annual privacy and security risk assessments .  Communicate to any affected parties the extent of any risk posed and actions the affected parties may take to reduce any damages if a data breach is known to have occurred. This bill requires t he covered entity to have a chief information officer or security officer assigned to coordinate the program and take measures to train employees on the necessary safety practices and regulations. A covered entity satisfies the above requirements if the written cybersecurity program contains written protocols that reasonably conform to an industry-recognized cyb ersecurity framework at the time of the breach . AFFIRMATIVE DEFENSE This bill provides that a covered entity that satisfies the above requirements is entitled to an affirmative defense to any cause of action in tort brought under the laws of this state or in the courts of this state, even if the covered entity's agent breached the covered entity's data, when it is alleged that the failure to implem e nt reasonable information security controls resulted in a data breach of personal information, personal health information, or restricted information. However, a covered entity may not claim such an affirmative defense if the covered entity had actual not ice of a threat or hazard to the security or integrity of the personal information, personal health information, or restricted information and did not act to mitigate the threat or potential hazard within a reasonable time in accordance with the industry- r ecognized cybersecurity framework timeframe to make proper notifications to inform affected parties a breach has occurred. CONFORMATION TO INDUSTRY-RECOGNIZED CYEBRSECURITY FRAMEWORK This bill provides that a covered entity's cybersecurity program reasonably conforms to an industry-recognized cybersecurity framework for purposes of this bill if, at the time of the breach, any of the following criteria is met:  The cybersecurity program reasonably conforms to the current version of (i) the Framework for Improving Critical Infrastructure Cybersecurity developed by the national institute of standards and technology (NIST); (ii) NIST Special Publication 800-171; (iii) NIST Special Publications 800-53 and 800-53A; (iv) the International Organization for Standardization and International Electrotechnical Commission's 27000 Family of Standards; (v) the Federal Risk and Authorization Management Program Security Assessment Framework; or (vi) the Center for Internet Security's Critical Security Controls for Effective Cyber Defense .  The covered entity is regulated by the state, the federal government, or both, or is otherwise subject to, and the cybersecurity program reasonably conforms to, the entirety of the current version of one or more of the following at the time of the breach : (i) t he security requirements of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA); (ii) Title V of the Gramm-Leach-Bliley Act; (iii) the Federal Information Security Modernization Act of 2014; (iv) the Health Information Technology for Economic and Clinical Health (HITECH) Act; o r (v) another applicable federal or state regulation .  The cybersecurity framework reasonably complies with both the current version of the payment card industry data security standard and conforms to the current version of another applicable industry-recognized cybersecurity framework. However, i f a new and final revision to a framework listed above is published, then this bill requires a covered entity whose cybersecurity program reasonably conforms to such framework to conform the elements of its cybersecurity program to the revised framework, or another applicable framework listed above, within the timeframe provided, if any, in the rel evant framework upon which the covered entity intends to rely to support its affirmative defense. In all cases, the covered entity must come into compliance with the new and final revision, or another framework listed above within the earlier of one year after the publication date of the new and final revision or its stated compliance date, if any. NO PRIVATE CAUSE OF ACTION This bill does not create a private right or cause of action, including a class action, with respect to any act or practice regula ted under this bill ."