Utah’s New Data Breach Notification Rules in Effect
This year, Utah has updated its data breach notification law, with new amendments to enhance data security. Signed into law by Governor Spencer J. Cox back on March 19, 2024, S.B. 98 Online Data Security and Privacy Amendments took effect on May 1, 2024. Key updates include the establishment of the Utah Cyber Center to coordinate cybersecurity efforts and detailed reporting requirements for data breaches affecting 500 or more individuals. Notifications must include specifics about the breach, such as the number of affected individuals, types of data involved, and actions taken in response.
Below we are including a short summary of what has changed:
- the new rules define a "data breach" as the unauthorized access, acquisition, disclosure, loss of access, or destruction of personal data that affects 500 or more individuals, including also any incident that compromises the security, confidentiality, availability, or integrity of computer systems used by government entities;
- the law establishes the Utah Cyber Center, which will coordinate cybersecurity efforts across state, local, and federal levels;
- entities have to report data breaches to both the Utah Cyber Center and the Attorney General if they affect 500 or more Utah residents, and if the breach affects 1,000 or more residents, they must also report this to consumer reporting agencies;
- the data breach notification must include detailed information such as:
- The date and time of the breach.
- When the breach was discovered.
- The number of individuals affected.
- The types of data involved.
- A description of the breach.
- How the breach occurred, if known.
- The steps taken in response to the breach.
- If certain conditions outlined in the public records law are satisfied, notifications sent to the Attorney General or Utah Cyber Center, along with any related information these offices provide during coordination or assistance, may be considered confidential and classified. To qualify, the notification must include a written assertion of business confidentiality accompanied by a clear explanation of the reasons justifying this confidentiality claim.
It is expected that starting May 1, 2024 covered entities have already begun complying with these new data breach notification rules and where that is not yet the case that they are in the process of familiarizing themselves with the new requirements.
Read more about Utah’s data privacy law, the UCPA, in our overview of the law.