Enhance your TRUST relationship with PRIVACY and SECURITY. Privacy Made Simple!

   +1 866 267 0049   830 NE Pop Tilton Place, Jensen Beach, FL 34957

Utah
Privacy Laws

Overview

BREACH NOTIFICATION – Mandated Timeframe
Without unreasonable delay

FINES & PENALTIES – Violations
$2,500 to $100,000

Legal

Regulation Levels

  • Breach Reporting

    Breach Reporting

  • Consumer Notification

    Consumer Notification

  • Vendor Management

    Vendor Management

  • Vendor Contract Required

    Vendor Contract Required

PRIVACY AND SECURITY LAWS

Laws related to personal information and privacy and security.

QUICK FACTS

Utah Privacy Law Information

PRIVACY PROGRAM

Organizations can defend against civil liability from certain causes of actions arising out of a data breach by having a written cybersecurity program that conforms with an industry recognized framework. Organizations and Vendors who are businesses operating in Utah must have measures in place for the destruction of records containing personal information, so the records are unreadable or undecipherable. Organizations and Vendors who are businesses operating in Utah must protect personal information from unlawful use or disclosure.

BREACH REPORTING

Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organizations are responsible for submitting any required regulatory reporting and consumer notifications.

CONSUMER NOTIFICATION

If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

VENDOR/THIRD PARTIES

Vendors must cooperate with Organizations and provide any relevant information regarding a breach incident.

SPECIFIC LAWS - EDUCATION

Educational facilities must implement and maintain a data governance plan and are required to provide employee training on student privacy laws. There are sector-specific vendor contract requirements for educational entities. Educational facilities must provide notification to parents in the event of a breach.

SPECIFIC LAWS - GENETIC TESTING

Utah’s Genetic Information Privacy law governs the collection, use, disclosure and consent of resident’s genetic data, and mandates that companies implement a comprehensive security program. In addition, genetic testing companies (GTC) are required to publish a privacy notice detailing the collection, consent, use, access, disclosure, transfer, security and retention/deletion practices of their data. GTCs must provide a process for the access or deletion/destruction of genetic data or biological samples. GTC may not disclose a direct resident consumer’s genetic data to an employer, nor any entity that offers health, life or long-term care insurance, without their express written consent.

FINES & PENALTIES

Breach violations can result in penalties of $2,500 per consumer up to $100,000; over 10,000 Utah residents and over 10,000 consumers who are residents of other states, a greater penalty may be assessed. The attorney general may enforce the provisions of the Protection of Personal Information Act, including inspection of records. Costs associated with the inspection could be incurred, as well as fines of $500, or a higher amount if $500 is estimated to be insufficient. The attorney general can seek injunctive relief to prevent future violations. Organizations may be fined or penalized for Vendor violations.

Utah Statutes and Laws

UTAH CODE 13-44

Protection of personal information act

UTAH CODE § 13-44-201

Protection of personal information

UTAH CODE § 13-44-202

Personal information – disclosure of system security breach

UTAH CODE § 13-44-301

Enforcement – confidentiality agreement – penalties

UTAH CODE §§ 53E-9-101 – 53E-9-310

Student Privacy and Data Protection

UTAH CODE §§ 53E-9-201 – 53E-9-204

Definitions

UTAH CODE TITLE 78B CHAPTER 4 PART 7 §§ 78B-4-701 – 78B-4-706
Cybersecurity Affirmative Defense Act

DISCLAIMER

The information provided is not legal guidance or recommendations and are for informational purposes only.