On May 1, 2024, amendments to Utah's Cybersecurity and Data Breach Notification Act became effective.
Utah's Cybersecurity and Data Breach Notification Act requires organizations doing business in Utah to prevent the unlawful use or disclosure of personal information they collect.
Under this requirement, if an organization that owns or controls the personal information of Utah residents becomes aware of a breach of system security, that organization must be able to determine whether the personal information has been or will be misused. Need to investigate. If exploitation occurs or there is potential for exploitation, organizations must notify all affected Utah residents. And if more than 500 Utah residents are affected, organizations must notify the Utah Attorney General's Office and the Utah Cyber Center. The Utah Cyber Center coordinates efforts among state, local, and federal resources to support security and protect against cyberattacks.
Recent amendments amended the definition of “personal data” to be information “associated with, or reasonably associated with” an identified or identifiable individual.
For non-governmental organizations, the amendment introduces a definition for the term “data breach,” which is now defined as “unauthorized access, acquisition, disclosure, loss of access, or destruction” of the personal data of 500 or more people. Masu. or data that “compromises the security, confidentiality, availability, or integrity of computer systems in use or of information controlled by a government agency.”
The amendment reiterates that disclosures of violations will be confidential and may be classified as protected records.
The amendments require reporting entities to include additional information in violation notifications, such as:
- Date the system security breach occurred.
- Date the breach was discovered.
- Total number of people affected by the breach, including the total number of Utah residents.
- Types of personal information involved in the breach. and,
- A brief description of the breach that occurred.
Utah also revised reporting requirements for government agencies that discover data breaches. Government agencies must include all of the references listed above when reporting to the Cyber Center, and must also include:
- If known, the path or means of access to a system, computer, or network
- The person or entity who committed the data breach (if known)
- Any other details requested by the Cyber Center