Utah Rewards Businesses That
Take Security Seriously

HB80 gives companies legal protection from data breach lawsuits — if they maintain a qualifying cybersecurity program.

Effective May 5, 2021 · Utah Code § 78B-4-701

The Law

What HB80 Does for You

If your business suffers a data breach and you end up in court, HB80 gives you an affirmative legal defense — covering both tort and contract claims — as long as you had a qualifying written cybersecurity program in place. It protects you against three types of claims:

Security Failure

Alleging you failed to implement reasonable controls.

Breach Response

Alleging you failed to respond appropriately.

Notification Failure

Alleging you failed to notify affected individuals.

How to Qualify

What Your Program Needs

The law is deliberately flexible — a 50-person company isn't held to Fortune 500 standards. Four conditions:

1

Administrative, Technical & Physical Safeguards

Protecting the security, confidentiality, and integrity of personal information.

2

Conformance to a Recognized Framework

Reasonable conformance — not certification — to one or more of the frameworks listed below.

3

Appropriate Scale & Scope

Proportionate to your size, complexity, data sensitivity, and available resources.

4

Reasonable Security Practices

A designated coordinator, detection/response procedures, employee training, and periodic risk assessments.

NIST 800-171
NIST 800-53
FedRAMP
CIS Controls
ISO 27000
PCI DSS
HIPAA
GLBA
FISMA
HITECH
Common Concern

Assessing Yourself Doesn't Create Liability

A Risk Assessment ≠ “Actual Notice”

The law explicitly states that a risk assessment conducted to improve your security is not “actual notice” of a threat. Evaluating where you stand is exactly the behavior the law encourages.

When the defense doesn't apply: You had actual notice of a specific threat, failed to remediate it in a reasonable timeframe, and that threat caused the breach.

How SignumCyber Helps

Every Requirement. One Platform.

HB80 Requires How We Help

Written program with safeguards

73-domain assessment + policy creation wizard to build your program

Framework conformance

ISO 27001, NIST, SOC 2, HIPAA & PCI DSS

Appropriate scale & scope

Conditional logic adapts to your size, industry & environment

Risk assessments & testing

FAIR risk quantification in dollars with ongoing reassessment

Detection, response & remediation

Prioritized recommendations, incident response policy & evidence

Bigger Picture

A Growing National Movement

Seven states and counting. The program you build for Utah qualifies you elsewhere too.

Ohio 2018
Utah 2021
Connecticut 2021
Iowa 2023
Tennessee 2024
Oregon 2024
Texas 2025

Ready to Build Your Defense?

See how SignumCyber helps you qualify for safe harbor protection — and turn security into a business advantage.

Request a Demo →

30 minutes. No pressure. Just clarity.

This page is general information about Utah's HB80, not legal advice. Consult a qualified attorney for guidance specific to your organization.