On May 1, 2024, amendments to Utah’s cybersecurity and data breach notification law took effect.

The state’s cybersecurity and data breach notification law requires an organization that conducts business in the State of Utah to prevent the unlawful use or disclosure of personal information collected by the organization.

Under the requirements, if an organization that owns or maintains the personal information of a Utah resident becomes aware of a breach of system security the organization must investigate to determine if the personal information has been or will be misused. If misuse has occurred or is likely to occur, the organization must notify every affected Utah resident. And if 500 or more Utah residents are affected the organization must notify the Utah Attorney General’s Office and the Utah Cyber Center. The Utah Cyber Center coordinates efforts between state, local, and federal resources to support security and defend against cyber-attacks.

The recent amendments revise the definition of “personal data” to be information that “is linked or can be reasonably linked” to an identified individual or identifiable individual.

Concerning nongovernmental entities, the amendments implement a definition for the term “data breach” which is now defined as the “unauthorized access, acquisition, disclosure, loss of access, or destruction of” the personal data of more than 500 or more individuals; or, of data that “compromises security, confidentiality, availability, or integrity of the computer system in use or information maintained by a governmental entity.”

The amendments reiterate that the disclosure of a breach may be confidential and classified as a protected record.

The amendments require reporting entities to include additional information in breach notifications including:

  •  the date the breach of the system security occurred;
  • the date the breach was discovered;
  • the total number of people impacted by the breach, with a breakout of the total number of Utah residents;
  • the type of personal information involved in the breach; and,
  •  a short description of the breach that occurred.

Utah also revised reporting requirements for governmental entities that discover a data breach. Governmental entities shall include all of the above reference items when reporting to the Cyber Center and also:

  • The path or means by which access was gained to the system, computer, or network if known
  • The individual or entity who perpetrated the data breach, if known
  • Any other details requested by the Cyber Center

If you have questions about Utah’s breach notification requirements or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

Tags: disclosure, governmental entities, notification requirements, Utah, Utah Cyber Center
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dorothy Parson McDermott Dorothy Parson McDermott

Dorothy “Dottie” McDermott is a principal in the Indianapolis, Indiana, office of Jackson Lewis P.C. She oversees defense of demand letters, charges, litigations and advice and counsel across Jackson Lewis’s nationwide footprint of offices, making portfolio management easier for in-house counsel and leadership…

Dorothy “Dottie” McDermott is a principal in the Indianapolis, Indiana, office of Jackson Lewis P.C. She oversees defense of demand letters, charges, litigations and advice and counsel across Jackson Lewis’s nationwide footprint of offices, making portfolio management easier for in-house counsel and leadership across jurisdictions. Clients ranging from Fortune 500 companies to small family-owned businesses, in-house counsel, and members of human resources and management teams appreciate Dottie’s sage and practical input as she aligns proposed defense and resolution strategies with business goals and objectives.

Dottie has more than 20 years of experience defending employers of all sizes, human resources professionals, and management teams in the defense of civil rights and employment-related claims and complex ERISA litigation, single plaintiff ERISA cases. This includes matters before federal and state courts and administrative entities involving claims of discrimination, harassment, wrongful termination and/or retaliation under the ADA, ADEA, COBRA, Equal Pay Act, FMLA, GINA, Title VII, Section 1981, and USERRA. Additionally, she participates in internal FLSA audits on behalf of employers, and the defense of FLSA and ERISA 401(k) collective and class action litigation and defense of other wage hour claims.

Dottie also advises employers and management on human resource issues, background checks and the FCRA, reductions in force and WARN compliance, employee handbooks, policies, severance agreements, EEO training, drug testing issues and workplace violence prevention restraining orders. She also leads internal corporate investigations regarding claims of sexual harassment and discrimination.

Read more about Dorothy Parson McDermott
Show more Show less
Related Posts
Florida Bar Urges Law Firms to Adopt Incident Response Plans: A Call to Action for Legal Professionals
April 22, 2025
Happy Privacy Day: Emerging Issues in Privacy, Cybersecurity, and AI in the Workplace
January 28, 2025
Insider Threats: The Overlooked Risks of Departing Employees and Sensitive Data Theft
January 21, 2025