Utah Updates Breach Notification Law
Utah has updated its online data security and privacy laws with new definitions and new requirements for data breach notifications to the Utah Cyber Center. The amendments were signed into law by Utah Governor Spencer J. Cox on March 19, 2024, and updated the Utah Protection of Personal Information Act and the Utah Technology Governance Act.
The Utah Cyber Center was established by the Utah Technology Governance Act and coordinates efforts between State, Local, and Federal resources to bolster statewide security and help defend against future cyberattacks. The online data security and privacy amendments (S.B. 98) to the Technology Governance Act establish new definitions for a data breach reporting to the Utah Cyber Center. A data breach is defined as “the unauthorized access, acquisition, disclosure, loss of access, or destruction of (a) personal data affecting 500 or more individuals; or (b) data that compromises the security, confidentiality, availability, or integrity of the computer systems used or information maintained by the governmental entity.” Personal data is defined as any information that is linked to or can reasonably be linked to an identified individual or an identifiable individual.
The amended law also includes details of the types of information that government entities must provide when reporting data breaches to the Utah Cyber Center. These requirements include the date/time of the breach; date of breach discovery; number of people affected, data types involved, a short description of the breach; path/means of access; perpetrator of the breach (if known); the steps taken in response to the data breach; and any other specific information requested by the Utah Cyber Center. The Protection of Personal Information Act has been amended to state that documents submitted to the Attorney General or the Utah Cyber Center may be deemed confidential and classified as a protected record in certain circumstances.
