Security Breach Policy in the State of Utah, Regulation
Utah Code §§ 13-44-101 is a data breach notification law that was passed in the U.S. state of Utah in 2009 and recently amended in 2019. As the state of Utah has yet to pass a comprehensive data protection law, Utah Code §§ 13-44-101 represents the primary means by which certain categories of personal information pertaining to residents of the state is protected in the event of a security breach. With this being said, agencies, businesses, and organizations are required to adhere to the various provisions set forth in Utah Code §§ 13-44-101, or face sanctions and penalties on behalf of the Utah Attorney General.
How does Utah Code §§ 13-44-101 define the term security breach?
Under Utah Code §§ 13-44-101, a security breach is defined as the “unauthorized acquisition of computerized data maintained by an Entity that compromises the security, confidentiality, or integrity of PI.” Alternatively, the law also states that a security breach “does not include the acquisition of PI by an employee or agent of the Entity possessing unencrypted computerized data unless the PI is used for an unlawful purpose or disclosed in an unauthorized manner.” Moreover, as it relates to the scope and applicability of the law, the provisions of Utah Code §§ 13-44-101 apply to “any Entity who owns or licenses computerized data that includes PI concerning a UT resident.”
What are the data breach requirements of business entities under Utah Code §§ 13-44-101?
Utah Code §§ 13-44-101 mandates that business entities operating within the state of Utah provide data breach notification to all affected individuals in the event that such an incident occurs. These notifications must be provided to Utah residents without unreasonable delay, and must provide said residents with information concerning the scope and severity of the breach, as well as the steps that have been taken to restore the integrity of the data system in which the breach took place, among other things. What’s more, third parties that are associated with business entities within Utah must also comply with the provisions of Utah Code §§ 13-44-101.
To this point, Utah Code §§ 13-44-101 states that business entities and organizations within Utah can provide data breach notifications to residents of the state in accordance with the following methods:
- Written notice that is sent via first-class mail to the most recent mailing address the affected entity has for the resident.
- By telephone, including through the use of automatic dialing technology not prohibited by other laws.
- Electronically, if the Entity’s primary method of communication with the resident is by electronic means, or if provided consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
What categories of personal information are covered under Utah Code §§ 13-44-101?
Under Utah Code §§ 13-44-101, the following categories of personal information are legally protected in the event of a data breach, in combination with a Utah resident’s first name or first initial and last name, permitting these data elements have not been encrypted or otherwise altered by another method that would render the information unintelligible:
- Social security numbers.
- Driver’s license numbers and state identification card numbers.
- Account numbers and credit and debit card numbers, as well as any required security codes, access codes, or passwords that could be used to gain access to an individual’s financial account.
In terms of the enforcement of Utah Code §§ 13-44-101, the provisions set forth in the law are enforced by the Utah Attorney General. Subsequently, the Utah Attorney General has the authority to impose numerous penalties against agencies, businesses, and organizations within the state that are found to be in violation of the law. Such punishments include “a civil fine of no more than $2,500 for a violation or series of violations concerning a specific consumer and no more than $100,000 in the aggregate for related violations concerning more than one consumer. The latter limitation does not apply if the violations concern more than 10,000 Utah residents and more than 10,000 residents of other states, or if the Entity agrees to settle for a greater amount.”
As all fifty states within the U.S., along with major territories such as Guam and Puerto Rio, have passed some form of data breach legislation as of 2022, Utah Code §§ 13-44-101 represents such legislation for citizens residing in the state of Utah. Through legislation such as Utah Code §§ 13-44-101, Utah residents can seek justice and financial compensation in the event that certain categories of personal information pertaining to them is compromised during a data breach. Despite the fact that Utah has yet to pass a comprehensive data protection law, residents of the state can still protect their personal information through the requirements established in Utah Code §§ 13-44-101.