As of May 1, 2024, the Utah statute provides that:

• Notification regarding a “breach of system security” provided to the Attorney General or Utah Cyber Center must include, if known or available:
  • the date the breach occurred;
  • the date the breach was discovered;
  • the total number of individuals affected, including the total number of Utah residents;
  • the type of personal information involved; and
  • a short description of the breach that occurred.
• Notification to the Attorney General or Utah Cyber Center, as well as any information those offices produce in providing coordination or assistance, may be deemed confidential and classified if certain requirements in the public records law are met. Specifically, the notification must include a written claim of business confidentiality and a concise statement of reasons supporting the claim of confidentiality.

The amendments also clarify governmental entities’ reporting requirements to the Utah Cyber Center. These amendments:

• Define “data breach” as unauthorized access, acquisition, disclosure, loss of access, or destruction of:
  • personal data affecting 500 or more individuals; or
  • data that compromises the security, confidentiality, availability, or integrity of computer systems or information that a governmental entity maintains.
• Define “personal data” as any information that is linked to or can reasonably be linked to an identified individual or an identifiable individual.
• Require a governmental entity to include following information when notifying the Cyber Center of a data breach:
  • the date and time the data breach occurred;
  • the date the data breach was discovered;
  • the total number of people that the data breach affected, including the total number of Utah residents affected;
  • the type of personal data involved in the data breach;
  • a short description of the data breach that occurred;
  • the path or means by which access was gained to the system, computer, or network, if known;
  • the individual or entity who perpetrated the data breach, if known;
  • steps the governmental entity is taking or has taken to mitigate the impact of the data breach; and
  • any other details that the Cyber Center requests.
• Add confidentiality requirements, including that the following information may be deemed confidential under Utah’s public records law:
  • information that a governmental entity provides to the Cyber Center as part of its notice; and
  • information the Cyber Center produces in response to a report of a data breach.

If deemed confidential, the information may only be shared in compliance with the public records law.

Businesses and governmental entities covered by the Utah legislation should continue to review and update incident response plans to reflect these and other legislative changes. Staying informed of current cybersecurity threats, identifying and addressing vulnerabilities, and confirming the adequacy of administrative, technical and physical controls continues to be essential.

*Edwin Jones is a paralegal in the Cybersecurity practice group.