SymTec Can Help You Stay in Compliance with Utah’s Personal Information Protection and Data Breach Laws

For those of you who are business owners and are aware of the impact Utah’s recent Data Breach laws could have on you, SymTec can help clarify the law and your technology defenses in light of them. We provide a turnkey solution for business execs who need to remain in compliance with Utah’s Personal Information Protection and Data Breach Laws on an ongoing basis.

How the Utah Data Security and Personal Information Protection Laws Affect You

Utah, like most U.S. states, has enacted laws concerning data security and the corrective steps to take when a data breach occurs.  Here is what Utah law provides for as codified in Utah Code Ann §§ 13–44–101 et seq.  The Utah Data Security and Personal Information Protection law has been in effect since 2006.

Who the Law Applies To 

The law applies to any person who owns or licenses computerized data that includes personal information about a Utah resident.  The law also applies to anyone who maintains computerized data for someone else.

“Personal information” means a person’s first name or first initial and last name, combined with any one or more of the following data elements relating to that person when either the name or date element is unencrypted or not protected by another method that renders the data unreadable or unusable:

  • Social security number;
  • (A) Financial account number, or credit or debit card number; and (B) Any required security code, access code, or password that would permit access to the person’s account; or
  • Driver license number or state identification card number.

Notably, “personal information” does not include information — regardless of its source — contained in federal, state, or local government records or in widely distributed media that are lawfully made available to the general public.

How is Data Breach Defined Under the Utah Data Protection Law?

The term “data breach” under this law (also called the Database Breach Law) means unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.

This term also includes the acquisition of personal information by an employee or agent of the person possessing unencrypted computerized data if the personal information is used for an unlawful purpose or disclosed in an unauthorized manner.

What Triggers a Data Breach Notification?

A notification is triggered when the data owner or maintainer becomes aware of a potential data breach.  The data owner or maintainer must first conduct a prompt, good-faith investigation to determine whether personal information has been disclosed or will be misused for identity theft or fraud purposes.  If the investigation indicates a reasonable likelihood of the misuse of personal information, the data owner or maintainer must provide notification to each affected Utah resident.

Data owners or maintainers with their own notification procedures consistent with this chapter’s timing requirements are (or maybe) considered to be in compliance with this chapter if they provide notification to affected Utah residents.

Data owners or maintainers primarily regulated by another state or federal law that are in compliance with that applicable law may also be exempt.

When and How to Notify

A person required to notify under Utah Code Ann. § 13–44–202(1), must notify in the most expedient time possible without unreasonable delay.  Written notice is permitted if sent first-class mail to the most recent address the person has for the resident, as is electronic notice if that is the primary method of communicating with the resident, or if provided in accordance with the consumer disclosure provisions of 15 U.S.C. Section 7001.

Phone notice is also permitted (including via automatic dialing technology not prohibited by other law).  Publishing notice is also permitted in a newspaper of general circulation; and as required in Utah Code Ann § 45–1–101, following Utah’s legal notice publication requirements.

What if Law Enforcement is Involved?

A person may delay notification at the request of a law enforcement agency that determines that notification may impede a criminal investigation.  A good-faith notification without unreasonable delay shall be made in the most expedient time possible after the law enforcement agency informs the person that notification will no longer impede the criminal investigation.

What are the Penalties for Non-Compliance with the Law? 

The consequences of non-compliance with the Utah data security law are enforced by the Utah Attorney General (investigation and adjudication). Violators are subject to civil fines up to $2,500 for a violation or series of violations concerning a specific consumer but no greater than $100,000 in the aggregate for related violations concerning more than one consumer.  In addition, the Attorney General may seek injunctive relief.  Although there is no private right of action, liability under contract or tort law is possible.

Other States’ Data Protection and Breach Notification Laws

We have previously posted summaries of the data protection and breach laws for other states in the southwestern United States.  For Arizona, click here.  For California, click here, here and here.  For Nevada, click here and here.  For Colorado, click here.  Stay tuned for further updates as the Utah data protection laws continue to evolve.

The Impact on Small Businesses of Not Having a Good Cyber Security Checklist

Small businesses in Utah (as anywhere else) are every bit as vulnerable as enterprise-scale businesses to hack or data breaches, and sometimes even more vulnerable.  The thought of having the personal and financial data of 143 million Americans stolen is enough to cause any business owner to get a bad case of the hives.

Equifax’s security was violated due to the failure to correctly install a software patch, something that many small business owners can relate to as their internal IT departments are increasingly stretched in a variety of different directions.  Installing patches and keeping software up-to-date is one of the first lines of defense for organizations attempting to reduce the possibility of a cybersecurity attack – through a working (and Utah government-approved) cybersecurity checklist should also be in place along with it simultaneously.

Get the Right Cyber Security Solutions to Stay Compliant with Utah Law

If you’re ready for an IT service provider who can help your business remain in compliance with the Utah Data Breach and Personal Information Protection Laws, then call our nationwide hotline at (800) 489-1706, or email us at sales@symtec.com, or use our secure contact form to get started right away.

SYMTEC

Contact Us Now

Accreditations and Partnerships

Our Partners