Listen to this post

On March 19, 2024, Utah’s Governor Spencer J. Cox signed Senate Bill (SB) 98 (the “Bill”), Online Data Security and Privacy Amendments, into law. The Bill amends the Protection of Personal Information Act (§13-44-101 et seq) and the Utah Technology Governance Act in the Utah Government Operations Code (§63A-16-1101 et seq). The Utah Technology Governance Act had previously established the Utah Cyber Center, a state initiative to coordinate efforts between local, state and federal resources by sharing threat intelligence and best practices.

In the Protection of Personal Information Act, SB 98 amends the Act to note that documents submitted to the Attorney General or Cyber Center may be deemed confidential and classified as a protected record if certain circumstances are met. SB 98 also amends §13-44-101 to include requirements reporting entities must include in the event that notification to the Utah Cyber Center or the Attorney General is required. Effective May 1, 2024, reporting entities must include the following information: the date the breach of system security occurred; the date the breach of system security was discovered; the total number of people affected by the breach of system security, including the total number of Utah residents affected; the type of personal information involved in the breach of system security; and a short description of the breach of system security that occurred.

SB 98 changes §63A-16-1101 by establishing that the definition of a “data breach” for the purposes of reporting to the Utah Cyber Center under §63A-16-1101 to be the unauthorized access, acquisition, disclosure, loss of access, or destruction of (1) personal data affecting 500 or more individuals or (2) data that comprises the security, confidentiality, availability or integrity of the computer systems used or information maintained by a governmental entity. The current language under §63A-16-1101 does not include a definition of a “data breach” for purposes of notifying the Utah Cyber Center.

The Bill also sets notification obligations for governmental entities when notifying the Utah Cyber Center.

SB 98 is effective May 1, 2024.