[co-author: Edwin Jones]
Utah recently fixed a common data breach Notification method To update content that must be reported to the Utah Attorney General or the Utah Cyber Center. The amendments also clarify when a notice is considered confidential or confidential under the state's public records law.
As of May 1, 2024, Utah law provides:
- Notifications of “system security breaches” provided to the Attorney General or the Utah Cyber Center must include the following, if known or available:
- Date the breach occurred.
- Date the breach was discovered.
- Total number of individuals affected, including total number of Utah residents.
- the type of personal information involved; and
- A brief description of the breach that occurred.
- Notifications to the Attorney General or the Utah Cyber Center, and information generated by those offices in providing coordination or assistance, may be considered confidential and classified if certain requirements of public records law are met. may be done. Specifically, the notification must include a written claim of business confidentiality and a concise statement of the reasons supporting the claim of confidentiality.
The amendment also clarifies agency reporting requirements for the Utah Cyber Center. These fixes are:
- “Data Breach” is defined as the unauthorized access, acquisition, disclosure, loss of access, or destruction of:
- Personal data that affects more than 500 individuals.or
- Data that compromises the security, confidentiality, availability, or integrity of computer systems or information controlled by government agencies.
- We define “Personal Data” as information that is associated with, or can reasonably be associated with, an identified or identifiable natural person.
- When notifying the Cyber Center of a data breach, we require agencies to include the following information:
- Date and time the data breach occurred.
- Date the data breach was discovered.
- The total number of people affected by the data breach, including the total number of Utah residents affected.
- Types of personal data involved in the data breach.
- A brief description of the data breach that occurred.
- The path or means, if any, of access to the system, computer, or network.
- The person or entity who committed the data breach, if known.
- Actions that government agencies are taking or have taken to mitigate the impact of data breaches.and
- Any other details requested by the Cyber Center.
- Adds confidentiality requirements under Utah's public records law, including that the following information may be considered confidential:
- Information that a government agency provides to the Cyber Center as part of a notification.and
- Information generated by the Cyber Center in response to a report of a data breach.
If considered confidential, information can only be shared in accordance with public records laws.
Businesses and government agencies subject to Utah law should continue to review and update their incident response plans to reflect these and other legal changes. It remains important to stay informed about current cybersecurity threats, identify and address vulnerabilities, and ensure that administrative, technical, and physical controls are in place.
*Edwin Jones is a paralegal in the Cybersecurity Practice Group.