General. (1) (a) A governmental entity that identifies a data breach affecting 500 or more individuals shall notify the Cyber Center and the attorney general of the data breach. (b) In addition to the notification required by Subsection (1)(a), a governmental entity that identifies the unauthorized access, acquisition, disclosure, loss of access, or destruction of data that compromises the security, confidentiality, availability, or integrity of the computer systems used or information maintained by the governmental entity shall provide notification to the Cyber Center in accordance with Section 63A-16-1103. (c) A governmental entity that identifies the unauthorized access, unauthorized acquisition, unauthorized disclosure, loss of access, or unauthorized destruction of personal data that is used or is reasonably likely to be used to commit theft, fraud, or other criminal acts shall provide notification of the breach to: (i) each individual whose personal data is involved in the breach; and (ii) the attorney general. (2) The notification under Subsection (1) shall: (a) be made without unreasonable delay, but no later than five days from the discovery of the data breach; and (b) include the following information: (i) the date and time the data breach occurred; (ii) the date the data breach was discovered; (iii) a short description of the data breach that occurred; (iv) the means by which access was gained to the system, computer, or network; (v) the person who perpetrated the data breach; (vi) steps the governmental entity is or has taken to mitigate the impact of the data breach; and (vii) any other details requested by the Cyber Center. (3) For a data breach described in Subsection (1)(a), the governmental entity shall provide the following information to the Cyber Center and the attorney general in addition to the information required under Subsection (2)(b): (a) the total number of individuals affected by the data breach, including the total number of Utah residents affected; and (b) the type of personal data involved in the data breach. (4) If the information required by Subsections (2)(b) and (3) is not available within five days of discovering the breach, the governmental entity shall provide as much of the information required under Subsections (2)(b) and (3) as is available and supplement the notification with additional information as soon as the information becomes available. (5) (a) A governmental entity that experiences a data breach affecting fewer than 500 individuals shall create an internal incident report containing the information in Subsection (2)(b) as soon as practicable and shall provide additional information as the information becomes available. (b) A governmental entity shall provide to the Cyber Center: (i) an internal incident report described in Subsection (5)(a) upon request of the Cyber Center; and (ii) an annual report logging all of the governmental entity's data breach incidents affecting fewer than 500 individuals.
‹ Prev All Utah sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.