Utah has updated its data breach regulations and from May 3, 2023, will require a breached entity to send a notification to the Utah Attorney General in the event of a breach of the personal information of 500 or more Utah residents.
The new law applies to persons who own or license computerized data that includes the personal information of Utah residents. If a system security breach is discovered, a prompt investigation should be conducted to determine the likelihood that personal information has been or will be misused for identity theft or fraud. If it is determined that identity theft or fraud has occurred, or is likely to occur, notifications must be issued to each affected Utah resident and a notification must be sent to the Utah Attorney General and the newly created Utah Cyber Center.
If the investigation determines that 1,000 or more individuals have experienced identity theft or fraud or are reasonably likely to experience fraud as a result of the security breach, then notifications must be provided to each national consumer reporting agency that maintains data on consumers.
The new requirements do not include a maximum time limit for sending notifications but state that notifications must be provided “in the most expedient time possible without unreasonable delay,” after investigating, determining the extent of the breach, notifying law enforcement, and restoring the integrity of the system.
Get the FREE
HIPAA Checklist
Discover everything you need
to become HIPAA compliant
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
If a person who maintains computerized data that includes personal information experiences a breach and the person does not own or license the data, that individual must notify and cooperate with the owner or licensee of the information of any breach of system security immediately following the discovery of the breach if misuse of the personal information occurs or is reasonably likely to occur.
Notifications must be issued by first class mail to the most recent address of an individual that is on file, or electronically if that is the primary method of communication for that individual, or by telephone. If it is not feasible to issue notifications by those means, notifications must be provided to a newspaper of general circulation.
Organizations that are covered by HIPAA and are compliant with the HIPAA Breach Notification Rule will be compliant with the new requirements provided they send data breach notifications to the Utah Attorney General and Utah Cyber Center and, if applicable, alert consumer reporting agencies.
New Utah Cyber Center
The new Utah Cyber Center will be operated in partnership with the Statewide Information and Analysis Center, the State Bureau of Investigation, and the Division of Emergency Management and will collaborate with the Office for The Attorney General, Cybersecurity Commission, Utah Education, and Telehealth Network, and Cybersecurity and Infrastructure Security Agency.
The Utah Cyber Center will promote cybersecurity best practices, share cyber threat intelligence with government entities and public and private sector organizations, and will serve as the state cybersecurity incident response hotline to receive reports of security breaches. It will also develop incident response plans for managing risks due to attacks on critical information technology systems within the state and develop a sharing platform to provide resources based on information and cybersecurity best practices.
