(1) Subject to Subsection (3), a person‘s written cybersecurity program reasonably conforms to a recognized cybersecurity framework if the written cybersecurity program:

lawyer at desk

Ask a litigation question, get an answer ASAP!
Thousands of highly rated, verified litigation lawyers.
Click here to chat with a lawyer about your rights.

Terms Used In Utah Code 78B-4-703

  • Amendment: A proposal to alter the text of a pending bill or other measure by striking out some of it, by inserting new language, or both. Before an amendment becomes part of the measure, thelegislature must agree to it.
  • Breach of system security: means the same as that term is defined in Section 13-44-102. See Utah Code 78B-4-701
  • NIST: means the National Institute for Standards and Technology in the United States Department of Commerce. See Utah Code 78B-4-701
  • PCI data security standard: means the Payment Card Industry Data Security Standard. See Utah Code 78B-4-701
  • Person: includes a financial institution organized, chartered, or holding a license authorizing operation under the laws of this state, another state, or another country. See Utah Code 78B-4-701
  • Personal information: means the same as that term is defined in Section 13-44-102. See Utah Code 78B-4-701
  • State: when applied to the different parts of the United States, includes a state, district, or territory of the United States. See Utah Code 68-3-12.5
     (1)(a) is designed to protect the type of personal information obtained in the breach of system security; and
     (1)(b)

          (1)(b)(i) is a reasonable security program described in Subsection (2);
          (1)(b)(ii) reasonably conforms to the current version of any of the following frameworks or publications, or any combination of the following frameworks or publications:

               (1)(b)(ii)(A) NIST special publication 800-171;
               (1)(b)(ii)(B) NIST special publications 800-53 and 800-53a;
               (1)(b)(ii)(C) the Federal Risk and Authorization Management Program Security Assessment Framework;
               (1)(b)(ii)(D) the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or
               (1)(b)(ii)(E) the International Organization for Standardization/International Electrotechnical Commission 27000 Family – Information security management systems;
          (1)(b)(iii) for personal information obtained in the breach of the system security that is regulated by the federal government or state government, reasonably complies with the requirements of the regulation, including:

               (1)(b)(iii)(A) the security requirements of the Health Insurance Portability and Accountability Act of 1996, as described in 45 C.F.R. Part 164, Subpart C;
               (1)(b)(iii)(B) Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, as amended;
               (1)(b)(iii)(C) the Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283;
               (1)(b)(iii)(D) the Health Information Technology for Economic and Clinical Health Act, as provided in 45 C.F.R. Part 164;
               (1)(b)(iii)(E) Title 13, Chapter 44, Protection of Personal Information Act; or
               (1)(b)(iii)(F) any other applicable federal or state regulation; or
          (1)(b)(iv) for personal information obtained in the breach of system security that is the type of information intended to be protected by the PCI data security standard, reasonably complies with the current version of the PCI data security standard.
(2) A written cybersecurity program is a reasonable security program under Subsection (1)(b)(i) if:

     (2)(a) the person coordinates, or designates an employee of the person to coordinate, a program that provides the administrative, technical, and physical safeguards described in Subsections 78B-4-702(4)(a) and (c);
     (2)(b) the program under Subsection (2)(a) has practices and procedures to detect, prevent, and respond to a breach of system security;
     (2)(c) the person, or an employee of the person, trains, and manages employees in the practices and procedures under Subsection (2)(b);
     (2)(d) the person, or an employee of the person, conducts risk assessments to test and monitor the practice and procedures under Subsection (2)(b), including risk assessments on:

          (2)(d)(i) the network and software design for the person;
          (2)(d)(ii) information processing, transmission, and storage of personal information; and
          (2)(d)(iii) the storage and disposal of personal information; and
     (2)(e) the person adjusts the practices and procedures under Subsection (2)(b) in light of changes or new circumstances needed to protect the security, confidentiality, and integrity of personal information.
(3)

     (3)(a) If a recognized cybersecurity framework described in Subsection (1)(b)(ii) or (iv) is revised, a person with a written cybersecurity program that relies upon that recognized cybersecurity framework shall reasonably conform to the revised version of the framework no later than one year after the day in which the revised version of the framework is published.
     (3)(b) If a recognized cybersecurity framework described in Subsection (1)(b)(iii) is amended, a person with a written cybersecurity program that relies upon that recognized cybersecurity framework shall reasonably conform to the amended regulation of the framework in a reasonable amount of time, taking into consideration the urgency of the amendment in terms of:

          (3)(b)(i) risks to the security of personal information;
          (3)(b)(ii) the cost and effort of complying with the amended regulation; and
          (3)(b)(iii) any other relevant factor.
  Previous section
Next section  
 Part 7 Contents