Utah Code 63A-19-405. Data breach notification to the Cyber Center and the Office of the Attorney General
Current as of: 2024 | Check for updates
|
Other versions
(1)
Terms Used In Utah Code 63A-19-405
- Cyber Center: means the Utah Cyber Center created in Section
63A-16-1102 . See Utah Code 63A-19-101 - Data breach: means the unauthorized access, acquisition, disclosure, loss of access, or destruction of personal data held by a governmental entity, unless the governmental entity concludes, according to standards established by the Cyber Center, that there is a low probability that personal data has been compromised. See Utah Code 63A-19-101
- Discovery: Lawyers' examination, before trial, of facts and documents in possession of the opponents to help the lawyers prepare for trial.
- Governmental entity: means the same as that term is defined in Section
63G-2-103 . See Utah Code 63A-19-101 - Individual: means the same as that term is defined in Section
63G-2-103 . See Utah Code 63A-19-101 - Personal data: means information that is linked or can be reasonably linked to an identified individual or an identifiable individual. See Utah Code 63A-19-101
(1)(a) A governmental entity that identifies a data breach affecting 500 or more individuals shall notify the Cyber Center and the attorney general of the data breach.
(1)(b) In addition to the notification required by Subsection (1)(a), a governmental entity that identifies the unauthorized access, acquisition, disclosure, loss of access, or destruction of data that compromises the security, confidentiality, availability, or integrity of the computer systems used or information maintained by the governmental entity shall notify the Cyber Center.
(2) The notification under Subsection (1) shall:
(2)(a) be made without unreasonable delay, but no later than five days from the discovery of the data breach; and
(2)(b) include the following information:
(2)(b)(i) the date and time the data breach occurred;
(2)(b)(ii) the date the data breach was discovered;
(2)(b)(iii) a short description of the data breach that occurred;
(2)(b)(iv) the means by which access was gained to the system, computer, or network;
(2)(b)(v) the individual or entity who perpetrated the data breach;
(2)(b)(vi) steps the governmental entity is or has taken to mitigate the impact of the data breach; and
(2)(b)(vii) any other details requested by the Cyber Center.
(3) For a data breach under Subsection (1)(a), the governmental entity shall provide the following information to the Cyber Center and the attorney general in addition to the information required under Subsection (2)(b):
(3)(a) the total number of people affected by the data breach, including the total number of Utah residents affected; and
(3)(b) the type of personal data involved in the data breach.
(4) If the information required by Subsection (2)(b) is not available within five days of discovering the breach, the governmental entity shall provide as much of the information required under Subsection (2)(b) as is available and supplement the notification with additional information as soon as the information becomes available.
(5)
(5)(a) A governmental entity that experiences a data breach affecting fewer than 500 individuals shall create an internal incident report containing the information in Subsection (2)(b) as soon as practicable and shall provide additional information as the information becomes available.
(5)(b) A governmental entity shall provide to the Cyber Center:
(5)(b)(i) an internal incident report described in Subsection (5)(a) upon request of the Cyber Center; and
(5)(b)(ii) an annual report logging all of the governmental entity’s data breach incidents affecting fewer than 500 individuals.