Utah Protection of Personal Information Act (Data Breach)
Utah Code § 13-44-101, et seq.
SUMMARY:
EFFECTIVE. January 1, 2007
WHO DOES THIS LAW APPLY TO. (1) Any person or business owns or licenses computerized data that includes Personal Information on a State resident; and (2) any person or entity that maintains computerized data that includes Personal Information on a State resident.
WHAT IS A BREACH. Unauthorized acquisition of computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by a person or business. Good faith acquisition of Personal Information by an employee or agent of the person or business possessing unencrypted computerized data is not a breach, if it is not used for an unlawful purpose or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or data element is not encrypted, redacted, or secured by any other method rendering the element unreadable or unusable:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include information from Federal, State, or local government records, or widely distributed media that is lawfully available to the general public.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the residents affected if, after a reasonable and prompt investigation, it is determined that misuse of the Personal Information for identity theft or fraud purposes has occurred or is reasonably likely to occur.
EXCEPTION. This Section does not apply to the following:
-
After a reasonable and prompt investigation, the covered entity determines that the personal information has not or will not be misused for identity theft or fraud, no notification not required.
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected residents are notified by the person or business in accordance with its policies.
-
A person or business that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section, if the affected residents are notified in accordance with such policies.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business first becomes aware of an incident of unauthorized acquisition. The disclosure shall be made in the most expedient manner possible and without unreasonable delay in consideration of the needs of law enforcement, and after the scope of the breach is determined and the reasonable integrity of the data system is restored. Notification may be delayed if it will impede a criminal investigation and is requested by law enforcement. In that instance, notification will be made in the most expedient time possible and without unreasonable delay following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written (by first class mail to the last known address of the resident).
-
Telephonic (including by automatic dialing technology not otherwise prohibited).
-
Electronic (if it is the primary means of communication or notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Publication in a newspaper of general circulation.
NOTICE TO THIRD-PARTIES. A person or business that maintains computerized data that includes Personal Information that it does not own, shall notify, and cooperate with the owner or licensee regarding any security breach immediately upon discovery. The person or business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The State Attorney General may seek recovery of a civil fine of up to $2,500 per violation or series of violations against a consumer, not to exceed $100,000. In addition, the Attorney General may seek a court order to prevent further violations of this law.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES. Utah enacted a safe harbor law that provides an affirmative defense against certain claims from a data breach for companies who prepare, implement, and comply with a qualified written cybersecurity program. The affirmative defense is not available to companies that receive actual notice of security threats or hazards and fail to adopt responsive remedial measures in a reasonable time. UT Code § 78B-4-701, et seq.
DATA DISPOSAL PROVISIONS. Utah Code § 13-44-201. Any person who conducts business in the state and maintains personal information shall implement and maintain reasonable procedures to: (a) prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business; and (b) destroy, or arrange for the destruction of, records containing personal information that are not to be retained by the person.
LEGISLATIVE UPDATES.
S.B. 69 – Signed into law on 3/20/2006, Effective 1/1/2007.
S.B. 208 – Signed into law on 3/30/2009, Effective 5/12/2009.
S.B. 193 – signed into law 3/26/2019, Effective 5/14/2019.
For more information, see here: https://le.utah.gov/xcode/Title13/Chapter44/13-44.html?v=C13-44_1800010118000101
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.