Utah, like most U.S. states, has enacted laws concerning data security and steps to take when a data breach occurs. Here is what Utah law provides as codified in Utah Code Ann §§ 13–44–101 et seq. The law has been in effect since 2006.
Who The Law Applies to. A person who owns or licenses computerized data that includes personal information about a Utah resident. The law also applies to anyone who maintains computerized data for someone else.
“Personal information” means a person’s first name or first initial and last name, combined with any one or more of the following data elements relating to that person when either the name or date element is unencrypted or not protected by another method that renders the date unreadable or unusable:
(i) Social security number;
(ii)(A) Financial account number, or credit or debit card number; and (B) Any required security code, access code, or password that would permit access to the person’s account; or
(iii) Driver license number or state identification card number.
Notably, “personal information” does not include information — regardless of its source — contained in federal, state, or local government records or in widely distributed media that are lawfully made available to the general public.
What is a Data Breach? The term “breach” under this law means unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information. This term also includes the acquisition of personal information by an employee or agent of the person possessing unencrypted computerized data if the personal information is used for an unlawful purpose or disclosed in an unauthorized manner.
What Triggers a Data Breach Notification. The trigger is when the data owner or maintainer becomes aware of a potential data breach. The data owner or maintainer must first conduct a prompt, good-faith investigation to determine whether personal information has been disclosed or will be misused for identity theft or fraud purposes. If the investigation indicates a reasonably likelihood of the misuse of personal information, the data owner or maintainer must provide notification to each affected Utah resident.
Data owners or maintainers with their own notification procedures consistent with this chapter’s timing requirements may be considered to be in compliance with this chapter if they provide notification to affected Utah residents.
Data owners or maintainers primarily regulated by another state or federal law that are in compliance with that applicable law may also be exempt.
When and How To Notify. A person required to notify under Utah Code Ann. § 13–44–202(1), must notify in the most expedient time possible without unreasonable delay. Written notice is permitted if sent first-class mail to the most recent address the person has for the resident, as is electronic notice if that is the primary method of communicating with the resident, or if provided in accordance with the consumer disclosure provisions of 15 U.S.C. Section 7001. Phone notice is also permitted (including through the use of automatic dialing technology not prohibited by other law). Publishing notice is also permitted in a newspaper of general circulation; and as required in Utah Code Ann § 45–1–101, following Utah’s legal notice publication requirements.
What if Law Enforcement is Involved? A person may delay notification at the request of a law enforcement agency that determines that notification may impede a criminal investigation. A good-faith notification without unreasonable delay shall be made in the most expedient time possible after the law enforcement agency informs the person that notification will no longer impede the criminal investigation.
What are the Penalties For Non-Compliance? The consequences of non-compliance are enforced by the Utah Attorney General (investigation and adjudication). Violators are subject to civil fines up to $2,500 for a violation or series of violations concerning a specific consumer but no greater than $100,000 in the aggregate for related violations concerning more than one consumer. In addition, the Attorney General may seek injunctive relief. Although there is no private right of action, liability under contract or tort law is possible.
Other States’ Data Protection and Breach Notification Laws.
We have previously posted summaries of the data protection and breach laws for other states in the southwestern United States. For Arizona, click here. For California, click here, here and here. For Nevada, click here and here. For Colorado, click here. Stay tuned for further updates as these laws continue to evolve.