Utah changes data breach reporting requirements | Constangy, Brooks, Smith & Prophete, LLP

(co-author: Edwin Jones)

The state of Utah recently changed its general data breach policy notification statute to update content to be reported to the Utah Attorney General or the Utah Cyber ​​Center. The changes also clarify when reports can be considered confidential or classified under the state’s public records law.

Effective May 1, 2024, Utah statute provides:

  • Notification regarding a “breach of system security” to the Attorney General or the Utah Cyber ​​Center must include, if known or available:
    • the date the infringement occurred;
    • the date the infringement was discovered;
    • the total number of individuals affected, including the total number of Utah residents;
    • the type of personal information involved; And
    • a brief description of the infringement that has occurred.
  • Notice to the Attorney General or the Utah Cyber ​​Center, as well as any information these offices produce in providing coordination or assistance, may be considered confidential and classified if certain requirements in the Public Records Act are met. In concrete terms, the notification must include a written appeal to trade secrecy, as well as a brief motivation to substantiate the appeal to confidentiality.

The changes also clarify reporting requirements from government agencies to the Utah Cyber ​​Center. These changes:

  • Define “data breach” as unauthorized access, acquisition, disclosure, loss of access or destruction of:
    • personal data relating to 500 or more persons; or
    • data that compromises the security, confidentiality, availability, or integrity of computer systems or information maintained by a government agency.
  • Define “personal information” as any information that relates to or could reasonably be linked to an identified individual or individual.
  • Require that a government agency include the following information when notifying the Cyber ​​Center of a data breach:
    • the date and time when the data breach occurred;
    • the date the data breach was discovered;
    • the total number of people affected by the data breach, including the total number of affected Utah residents;
    • the type of personal data involved in the data breach;
    • a brief description of the data breach that has occurred;
    • the path or means by which the system, computer or network was accessed, if known;
    • the person or entity that committed the data breach, if known;
    • steps that the government agency is taking or has taken to limit the impact of the data breach; And
    • all other information requested by the Cyber ​​Center.
  • Add confidentiality requirements, including that the following information may be considered confidential under Utah’s public records law:
    • information that a government agency provides to the Cyber ​​Center as part of its notification; And
    • information that the Cyber ​​Center produces in response to a report of a data breach.

If deemed confidential, the information may only be shared in accordance with the Public Records Act.

Businesses and government agencies subject to Utah law must continue to review and update their incident response plans to reflect these and other changes in the law. Staying abreast of current cybersecurity threats, identifying and addressing vulnerabilities, and confirming the adequacy of administrative, technical, and physical controls remains essential.

*Edwin Jones is a legal assistant in the Cybersecurity practice group.