Utah's Cybersecurity Safe Harbor (UCADA): What Small Businesses Should Know
By Cooper Kelley, Founder, Tailwater Tech · July 15, 2026
Most cybersecurity advice is about avoiding a breach. Utah has a law about what happens after one, and it can work in your favor if you did the right things beforehand. The Cybersecurity Affirmative Defense Act (UCADA) gives businesses that maintain a reasonable security program a legal defense when they get sued over a data breach. It is one of the few places where investing in security pays you back directly. This is a plain-English overview, not legal advice.
What UCADA actually does
Passed in 2021, UCADA creates an affirmative defense for a business sued in a Utah court after a breach of personal information, as long as the business maintained a written cybersecurity program that reasonably conforms to a recognized framework. It does not stop lawsuits or regulatory fines, and it is not a shield you can wave around to avoid all consequences. What it gives you is a real, statutory defense to raise, which a business that took security seriously can use and a business that did not cannot.
Why it matters for a small business
Data-breach lawsuits are getting more common, and small businesses are increasingly the target because they are seen as softer. UCADA means the security work you do is not only risk reduction, it is legal leverage. A firm with a documented program mapped to a recognized standard is in a completely different position than one that just had antivirus and hoped. The catch is timing: the defense only exists if you built and documented the program before the breach. You cannot backfill it afterward.
What “reasonable” means
The law does not demand perfection or a specific product. It asks for a written program that conforms to a recognized framework (such as the CIS Controls, the NIST Cybersecurity Framework, ISO 27001, or the security rules under HIPAA or the FTC Safeguards Rule), scaled to your size, complexity, and the sensitivity of the data you hold. For most small businesses that means the fundamentals, done properly and written down:
- MFA and encryption across the systems that hold sensitive data.
- Monitored endpoint protection and current patching.
- Tested backups and access controls.
- A written program that maps to a recognized framework, kept current.
- Staff training, because people are the most common way in.
How to actually get the protection
The safe harbor rewards preparation, not good intentions. In practice: pick a recognized framework appropriate to your size, implement the controls, write the program down, and keep it current. That is exactly what a managed IT and security program delivers, the controls plus the documentation that maps to a framework. And if you are a regulated firm, a healthcare practice or an accounting firm, you likely need most of this anyway, so UCADA is one more reason to do it right rather than a separate project.
Would your security hold up as a defense?
We build and document the kind of reasonable, framework-aligned security program UCADA rewards, as part of managed IT. Let us show you where you stand.
Talk it through