Utah Code § 13-44-101 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
"(a) “Breach of system security” means an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.
(b) “Breach of system security” does not include the acquisition of personal information by an employee or agent of the person possessing unencrypted computerized data unless the personal information is used for an unlawful purpose or disclosed in an unauthorized manner."
When is notice required?
Notice is required for all affected residents "...in the most expedient time possible without unreasonable delay..." with exceptions for law enforcement and after determining the scope of the breach and restoring the integrity of the system. Notice may be written, electronic, telephonic, or by publishing the notice in a newspaper of general circulation and as required under § 45-1-101, which details which publications meet the requirement.
What are the penalties for non-compliance?
Violations have their own section of the law, § 13-44-301, which also deals with enforcement by the Attorney General. Nothing in the statute creates a private cause of action, but other areas of law may provide one (contract, tort). Civil penalties may be no greater than $2,500 for a violation or series of violations concerning a specific consumer and no greater than $100,000 in the aggregate for more than one consumer in related violations. The AG may also seek an in junction and/or attorney's fees and costs.
(Lauren Bridges ©2023