On May 1, 2024, amendments to Utah’s cybersecurity and data breach notification law took effect.

The state’s cybersecurity and data breach notification law requires an organization that conducts business in the State of Utah to prevent the unlawful use or disclosure of personal information collected by the organization.

Under the requirements, if an organization that owns or maintains the personal information of a Utah resident becomes aware of a breach of system security the organization must investigate to determine if the personal information has been or will be misused. If misuse has occurred or is likely to occur, the organization must notify every affected Utah resident. And if 500 or more Utah residents are affected the organization must notify the Utah Attorney General’s Office and the Utah Cyber Center. The Utah Cyber Center coordinates efforts between state, local, and federal resources to support security and defend against cyber-attacks.

The recent amendments revise the definition of “personal data” to be information that “is linked or can be reasonably linked” to an identified individual or identifiable individual.

Concerning nongovernmental entities, the amendments implement a definition for the term “data breach” which is now defined as the “unauthorized access, acquisition, disclosure, loss of access, or destruction of” the personal data of more than 500 or more individuals; or, of data that “compromises security, confidentiality, availability, or integrity of the computer system in use or information maintained by a governmental entity.”

The amendments reiterate that the disclosure of a breach may be confidential and classified as a protected record.

The amendments require reporting entities to include additional information in breach notifications including:

  •  the date the breach of the system security occurred;
  • the date the breach was discovered;
  • the total number of people impacted by the breach, with a breakout of the total number of Utah residents;
  • the type of personal information involved in the breach; and,
  •  a short description of the breach that occurred.

Utah also revised reporting requirements for governmental entities that discover a data breach. Governmental entities shall include all of the above reference items when reporting to the Cyber Center and also:

  • The path or means by which access was gained to the system, computer, or network if known
  • The individual or entity who perpetrated the data breach, if known
  • Any other details requested by the Cyber Center

If you have questions about Utah’s breach notification requirements or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dorothy Parson McDermott Dorothy Parson McDermott

Dorothy “Dottie” Parson McDermott is a principal in the Indianapolis, Indiana, office of Jackson Lewis P.C. She concentrates her practice in the defense of complex ERISA litigation, single plaintiff ERISA cases, civil rights and employment-related claims.

Dottie defends ERISA 401(k) Plan class actions.

Dorothy “Dottie” Parson McDermott is a principal in the Indianapolis, Indiana, office of Jackson Lewis P.C. She concentrates her practice in the defense of complex ERISA litigation, single plaintiff ERISA cases, civil rights and employment-related claims.

Dottie defends ERISA 401(k) Plan class actions. She also has experience defending and dealing with defined benefit plan administration and complex Taft-Hartley-multi-employer plan issues. She has litigated sophisticated ERISA preemption issues and defended benefit claims in the LTD Plan, welfare plan, and pension plan areas. Her ERISA clients include fiduciaries, trustees, service providers, ERISA plans, plan administrators, claim administrators, third-party service providers, managed care entities, Taft-Hartley-multiemployer funds, and employers in a wide variety of employee benefits litigation issues nationwide. She additionally advises employers and plan administrators regarding administration of qualified retirement and welfare benefit plans, particularly processing internal claims and appeals. She is a member of the Employee Benefits Committee, Section of Labor & Employment Law, ABA. She is also a member of the ERISA focused DRI Life, Health and Disability Committee. Finally, she is a member of the American Health Lawyers Association.

Dottie also defends employers and management in federal and state courts and before administrative entities (EEOC, Indiana and U.S. Department of Labor, and similar state agencies) in matters ranging from ADA, ADEA, COBRA, FMLA, Title VII, Section 1981, the Indiana Wage Payment and Claims statutes, covenant not to compete/trade secret, and wrongful termination claims. Additionally, she participates in internal FLSA audits on behalf of employers, and the defense of FLSA class action litigation. Dottie further advises employers and management on human resource issues, reductions in force, employee handbooks, policies, severance agreements, EEO training, and workplace violence prevention restraining orders. She also leads internal corporate investigations regarding claims of sexual harassment and discrimination. Moreover, she provides analysis and guidance regarding drug testing laws and medical marijuana/marijuana-related legislation impacting employers in numerous states across the United States.