Utah
Click here to review text of state statute |
Information Covered / Important Definitions
Information covered:
Personal information of Utah residents.
Important definitions:
“Security breach” means an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person who owns or licenses computerized data that includes personal information concerning a Utah resident.
Third party recipients:
A person who maintains computerized data that includes personal information that the person does not own must notify and cooperate with the owner or licensee of the information of any security breach immediately following discovery of the breach if misuse of the personal information occurs or is reasonably likely to occur.
Notice Procedures & Timing / Other Obligations
Written, telephonic, or electronic notice must be provided to victims of a security breach following a prompt investigation within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede an investigation (in which case notification is delayed until authorized by law enforcement).
- Notice may also be completed by publishing notice of the security breach in a newspaper of general circulation and as required in Utah Code §451-101.
- Notification is only required if the covered entity determines that misuse of the personal for identity theft or fraud has occurred or is reasonably likely to occur.
Other Obligations:
Any person who conducts business in Utah and maintains personal information must implement and maintain reasonable procedures to protect personal information and ensure proper destruction of records containing personal information that no longer need to be retained with methods such as shredding, erasing, or otherwise modifying personal information such that it is indecipherable.
If a breach results in, or is likely to result in, misuse of personal information relating to 1,000 or more residents, notice is required to each consumer reporting agency.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or protected by another method that renders the data unreadable or unusable.
Other exemptions:
Exemption for good faith acquisition of personal information by an employee or agent of a person possessing unencrypted computerized data so long as personal information is not used for an unlawful purpose or disclosed in an unauthorized manner.
A person is deemed in compliance with the Utah statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Utah statute.
A covered entity is deemed in compliance with the Utah statute if it complies with notification requirements or procedures imposed by its primary or functional federal regulator.
Notification to Regulator / Waiver
If a security breach impacts 500 or more Utah residents and misuse of personal information has occurred or is reasonably likely to occur, notice is required to (i) Attorney General; and (ii) the Utah Cyber Center.
A determination of no likelihood of harm: Does not require notification to attorney general.
A waiver of the statute is void and unenforceable.
Penalties
Civil fines no greater than $2,500 per violation or series of violations concerning a specific consumer, and no greater than $100,000 in the aggregate for related violations concerning more than one consumer.
Injunctive relief is also available.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute |