Utah

Utah Code §§ 13-44-101, 13-44-201, 13-44-202, 13-44-301

S.B. 69 (signed into law March 20, 2006, Session Law Chapter 343)

Effective January 1, 2007

Application. Any Entity who owns or licenses computerized data that includes PI concerning a UT resident.

Security Breach Definition. Unauthorized acquisition of computerized data maintained by an Entity that compromises the security, confidentiality, or integrity of PI.

Does not include the acquisition of PI by an employee or agent of the Entity possessing unencrypted computerized data unless the PI is used for an unlawful purpose or disclosed in an unauthorized manner.

Notification Obligation. If investigation reveals that the misuse of PI for identity theft or fraud has occurred, or is reasonably likely to occur, the person shall provide notification to each affected UT resident.

Notification is not required if after a good-faith, reasonable and prompt investigation the Entity determines that it is unlikely that PI has been or will be misused for identity theft or fraud.

Third-Party Data Notification. An Entity that maintains computerized data that includes PI that the Entity does not own or license shall notify and cooperate with the owner or licensee of the information of any breach of system security immediately following the Entity’s discovery of the breach if misuse of the PI occurs or is reasonably likely to occur.

Timing of Notification. Notification shall be provided in the most expedient time possible without unreasonable delay, after determining the scope of the breach of system security and after restoring the reasonable integrity of the system.

Personal Information Definition. A person’s first name or first initial and last name, combined with any one or more of the following data elements relating to that person when either the name or data element is unencrypted or not protected by another method that renders the data unreadable or unusable:

Social Security Number;
Driver license number or state identification card number; or
Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to the person’s account.

PI does not include information regardless of its source, contained in federal, state, or local government records or in widely distributed media that are lawfully made available to the general public.

Notice Required. Notice may be provided by one of the following methods:

In writing by first-class mail to the most recent address the Entity has for the resident;
By telephone, including through the use of automatic dialing technology not prohibited by other law;
Electronically, if the Entity’s primary method of communication with the resident is by electronic means, or if provided consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act); or
By publishing notice of the breach of system security in a newspaper of general circulation.

Substitute Notice. Substitute notice is not available in UT.

Exception: Own Notification Policy. If an Entity maintains its own notification procedures as part of an information security policy for the treatment of PI the Entity is considered to be in compliance with this chapter’s notification requirements if the procedures are otherwise consistent with this chapter’s timing requirements and the Entity notifies each affected UT resident in accordance with the Entity’s information security policy in the event of a breach.

Exception: Compliance with Other Laws. An Entity who is regulated by state or federal law and maintains procedures for a breach of system security under applicable law established by the primary state or federal regulator is considered to be in compliance with this part if the Entity notifies each affected UT resident in accordance with the other applicable law in the event of a breach.

Penalties. Violators are subject to a civil fine of no more than $2,500 for a violation or series of violations concerning a specific consumer and no more than $100,000 in the aggregate for related violations concerning more than one consumer.

Other Key Provisions:

Delay for Law Enforcement. An Entity may delay providing notification at the request of a law enforcement agency that determines that notification may impede a criminal investigation. Notification shall be provided in good faith, without unreasonable delay, and in the most expedient time possible after the law enforcement agency informs the person that notification will no longer impede the criminal investigation.
AG Enforcement.
Waiver Not Permitted.