On May 1, 2024, amendments to Utah’s cybersecurity and data breach notification law took effect.
The state’s cybersecurity and data breach notification law requires an organization that conducts business in the State of Utah to prevent the unlawful use or disclosure of personal information collected by the organization.
Under the requirements, if an organization that owns or maintains the personal information of a Utah resident becomes aware of a breach of system security the organization must investigate to determine if the personal information has been or will be misused. If misuse has occurred or is likely to occur, the organization must notify every affected Utah resident. And if 500 or more Utah residents are affected the organization must notify the Utah Attorney General’s Office and the Utah Cyber Center. The Utah Cyber Center coordinates efforts between state, local, and federal resources to support security and defend against cyber-attacks.
The recent amendments revise the definition of “personal data” to be information that “is linked or can be reasonably linked” to an identified individual or identifiable individual.
Concerning nongovernmental entities, the amendments implement a definition for the term “data breach” which is now defined as the “unauthorized access, acquisition, disclosure, loss of access, or destruction of” the personal data of more than 500 or more individuals; or, of data that “compromises security, confidentiality, availability, or integrity of the computer system in use or information maintained by a governmental entity.”
The amendments reiterate that the disclosure of a breach may be confidential and classified as a protected record.
The amendments require reporting entities to include additional information in breach notifications including:
- the date the breach of the system security occurred;
- the date the breach was discovered;
- the total number of people impacted by the breach, with a breakout of the total number of Utah residents;
- the type of personal information involved in the breach; and,
- a short description of the breach that occurred.
Utah also revised reporting requirements for governmental entities that discover a data breach. Governmental entities shall include all of the above reference items when reporting to the Cyber Center and also:
- The path or means by which access was gained to the system, computer, or network if known
- The individual or entity who perpetrated the data breach, if known
- Any other details requested by the Cyber Center