Utah Code 13-44-202. Personal information — Disclosure of system security breach
Current as of: 2024 | Check for updates
|
Other versions
(1)
Terms Used In Utah Code 13-44-202
- Breach of system security: means an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information. See Utah Code 13-44-102
- Consumer: means a natural person. See Utah Code 13-44-102
- Discovery: Lawyers' examination, before trial, of facts and documents in possession of the opponents to help the lawyers prepare for trial.
- Fraud: Intentional deception resulting in injury to another.
- Person: means :(24)(a) an individual;(24)(b) an association;(24)(c) an institution;(24)(d) a corporation;(24)(e) a company;(24)(f) a trust;(24)(g) a limited liability company;(24)(h) a partnership;(24)(i) a political subdivision;(24)(j) a government office, department, division, bureau, or other body of government; and(24)(k) any other organization or entity. See Utah Code 68-3-12.5
- Personal information: means a person's first name or first initial and last name, combined with any one or more of the following data elements relating to that person when either the name or date element is unencrypted or not protected by another method that renders the data unreadable or unusable:
(4)(a)(i) Social Security number;(4)(a)(ii)(4)(a)(ii)(A) financial account number, or credit or debit card number; and(4)(a)(ii)(B) any required security code, access code, or password that would permit access to the person's account; or(4)(a)(iii) driver license number or state identification card number. See Utah Code 13-44-102- Record: includes materials maintained in any form, including paper and electronic. See Utah Code 13-44-102
- State: when applied to the different parts of the United States, includes a state, district, or territory of the United States. See Utah Code 68-3-12.5
- Writing: includes :
(48)(a) printing;(48)(b) handwriting; and(48)(c) information stored in an electronic or other medium if the information is retrievable in a perceivable format. See Utah Code 68-3-12.5(1)(a) A person who owns or licenses computerized data that includes personal information concerning a Utah resident shall, when the person becomes aware of a breach of system security, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused for identity theft or fraud purposes.(1)(b) If an investigation under Subsection (1)(a) reveals that the misuse of personal information for identity theft or fraud purposes has occurred, or is reasonably likely to occur, the person shall provide notification to each affected Utah resident.(1)(c) If an investigation under Subsection (1)(a) reveals that the misuse of personal information relating to 500 or more Utah residents, for identity theft or fraud purposes, has occurred or is reasonably likely to occur, the person shall, in addition to the notification required in Subsection (1)(b), provide notification to:(1)(c)(i) the Office of the Attorney General; and(1)(c)(ii) the Utah Cyber Center created in Section63A-16-1102 .(1)(d) If an investigation under Subsection (1)(a) reveals that the misuse of personal information relating to 1,000 or more Utah residents, for identity theft or fraud purposes, has occurred or is reasonably likely to occur, the person shall, in addition to the notification required in Subsections (1)(b) and (c), provide notification to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a.(2) A person required to provide notification under Subsection (1) shall provide the notification in the most expedient time possible without unreasonable delay:(2)(a) considering legitimate investigative needs of law enforcement, as provided in Subsection (4)(a);(2)(b) after determining the scope of the breach of system security; and(2)(c) after restoring the reasonable integrity of the system.(3)(3)(a) A person who maintains computerized data that includes personal information that the person does not own or license shall notify and cooperate with the owner or licensee of the information of any breach of system security immediately following the person’s discovery of the breach if misuse of the personal information occurs or is reasonably likely to occur.(3)(b) Cooperation under Subsection (3)(a) includes sharing information relevant to the breach with the owner or licensee of the information.(4)(4)(a) Notwithstanding Subsection (2), a person may delay providing notification under Subsection (1)(b) at the request of a law enforcement agency that determines that notification may impede a criminal investigation.(4)(b) A person who delays providing notification under Subsection (4)(a) shall provide notification in good faith without unreasonable delay in the most expedient time possible after the law enforcement agency informs the person that notification will no longer impede the criminal investigation.(5)(5)(a) A notification required by Subsection (1)(b) may be provided:(5)(a)(i) in writing by first-class mail to the most recent address the person has for the resident;(5)(a)(ii) electronically, if the person’s primary method of communication with the resident is by electronic means, or if provided in accordance with the consumer disclosure provisions of 15 U.S.C. § 7001;(5)(a)(iii) by telephone, including through the use of automatic dialing technology not prohibited by other law; or(5)(a)(iv) for residents of the state for whom notification in a manner described in Subsections (5)(a)(i) through (iii) is not feasible, by publishing notice of the breach of system security:(5)(a)(iv)(A) in a newspaper of general circulation; and(5)(a)(iv)(B) as required in Section45-1-101 .(5)(b) If a person maintains the person’s own notification procedures as part of an information security policy for the treatment of personal information the person is considered to be in compliance with the notification requirement in Subsection (1)(b) if the procedures are otherwise consistent with this chapter’s timing requirements and the person notifies each affected Utah resident in accordance with the person’s information security policy in the event of a breach.(5)(c) A person who is regulated by state or federal law and maintains procedures for a breach of system security under applicable law established by the primary state or federal regulator is considered to be in compliance with this part if the person notifies each affected Utah resident in accordance with the other applicable law in the event of a breach.(6)(6)(a) The following information may be deemed confidential and classified as a protected record under Subsections63G-2-305 (1) and (2) if the requirements of Subsection63G-2-309 (1)(a)(i) are met:(6)(a)(i) a notification submitted under Subsection (1)(c), including supporting information provided under Subsection (6)(b); and(6)(a)(ii) information produced by the Office of the Attorney General or the Utah Cyber Center in providing coordination or assistance to the person providing notification under Subsection (1)(c).(6)(b) A person providing notification under Subsection (1)(c) to the Office of the Attorney General or the Utah Cyber Center of a breach of system security shall include the following information in the notification, to the extent the information is known or available at the time the person provides the notification:(6)(b)(i) the date the breach of system security occurred;(6)(b)(ii) the date the breach of system security was discovered;(6)(b)(iii) the total number of people affected by the breach of system security, including the total number of Utah residents affected;(6)(b)(iv) the type of personal information involved in the breach of system security; and(6)(b)(v) a short description of the breach of system security that occurred.(7) A waiver of this section is contrary to public policy and is void and unenforceable. - Personal information: means a person's first name or first initial and last name, combined with any one or more of the following data elements relating to that person when either the name or date element is unencrypted or not protected by another method that renders the data unreadable or unusable: