[co-author: Kathryn Smith*]
Utah’s breach notification requirements will change on May 3, 2023. The recently amended data breach notification law now requires companies to notify the Attorney General for a breach involving 500 or more state residents. If the breach involves 1,000 or more residents, then notification to each consumer reporting agency is also required.
The obligation to notify a state authority exists in more than half of US jurisdictions, with Utah joining California, Colorado, Delaware, Florida, Illinois, Iowa, Rhode Island and Washington with a 500-individual threshold. The AGs in many of those jurisdictions ask that companies follow specific processes for making such notifications. Utah does not currently list on its website any such process requirements.
At the same time as amending its breach notice law, Utah has also codified a Utah Cyber Center. This entity appears to be the successor to one that had its soft launch in 2018. The Center, along with the Attorney General, will need to be notified in the event that a breach involves more than 500 residents. The law does not provide a point of contact for the Center, however as of this writing it indicated it would like notices to be sent by email (cybercenter@utah.gov), although that process may change in the future.
The Center’s responsibilities are broader, however, than merely receiving breach notifications. It is also charged with promoting cybersecurity best practices and “partnering” with “private sector organizations to increase the state’s cyber resilience.” In addition, it is charged with centralizing governmental entities’ cybersecurity efforts. This includes developing -by June 30, 2024- a statewide strategic cybersecurity plan for executive branch and other governmental agencies. It will also share cyber threat intelligence with governmental entities and coordinate cyber responses for governmental agency incidents (on their request). The director of the Center will be Chief Information Security Officer of the existing Utah Division of Technology Services.
*Kathryn Smith is a fellow in the firm’s Chicago office.
Putting it into Practice. Utah has joined a growing list of states that require notification to state authorities if an entity suffers a data breach. If, after May 3, an entity suffers a data breach impacting 500 or more Utah residents, it will need to keep in mind these updated notification obligations. We will be monitoring news from Utah for possible changes to the notice mechanics. We will also be monitoring developments from the Center about cybersecurity best practices and how it intends to partner with the private sector on cyber resilience.
