On May 1, 2024, significant amendments to Utah’s cybersecurity and data breach notification law came into effect, enhancing the state’s framework for handling personal information breaches. The updated law mandates that any organization conducting business in Utah must prevent unlawful use or disclosure of collected personal information. If a breach occurs, the organization must investigate and determine if the personal information has been or is likely to be misused. In such cases, all affected Utah residents must be notified. Furthermore, if the breach affects 500 or more residents, the organization must inform the Utah Attorney General’s Office and the Utah Cyber Center, which coordinates state, local, and federal efforts to bolster security and counter cyber threats.
The amendments redefine “personal data” to include any information that is linked or can be reasonably linked to an identifiable individual. They also establish a new definition for “data breach” for nongovernmental entities, encompassing unauthorized access, acquisition, disclosure, loss, or destruction of personal data affecting more than 500 individuals or compromising the security, confidentiality, availability, or integrity of a governmental system. These changes aim to provide a clearer framework for identifying and managing data breaches.
Organizations are now required to include more comprehensive information in their breach notifications. This includes the date of the breach, the date of discovery, the total number of people impacted (with a specific count of Utah residents), the type of personal information involved, and a brief description of the breach. These detailed notifications are intended to ensure transparency and prompt response to data breaches, helping affected individuals take necessary precautions.
Additionally, the amendments revise reporting requirements for governmental entities. When a data breach is discovered, these entities must report the breach to the Utah Cyber Center, including details such as the path or means by which access was gained, the perpetrator if known, and any other information requested by the Cyber Center. These enhanced reporting requirements are designed to facilitate better coordination and response to cybersecurity incidents at all levels of government.
