Listen to this post

Utah, among other privacy laws it has enacted or modified recently, has also modified its breach notification law. This follows last year’s changes to the law, which among other things codified the state’s Cyber Center.

This year’s modifications are primarily administrative. The law will now include a definition of “data breach” specifically for purposes of reporting to the Cyber Center (which definition mirrors the breach definition already in the law). Additionally, the law now affirmatively states that the notification submitted to the Cyber Center as well as information submitted to the Center or the Attorney General will be confidential. (If submitted to the Utah Cyber Center following existing Utah’s process for making confidentiality claims).

The law has also been amended to list the specific information which must be provided to the Cyber Center. The list is similar to the information which other agencies who receive notices require, including the date the breach occurred and the date of discovery. Also required is the number of people impacted, including those impacted in Utah and the type of information impacted. Also required is the submission of a short description of the incident.

Putting It Into Practice: Updating its breach notice law seems to be an annual occurrence for Utah. These changes are not significantly different from obligations under other states’ laws. Come May 1, companies will want to keep track of these procedures for incidents that trigger Utah reporting requirements.