What Utah Companies Need to Know About Utah Cybersecurity Law

With data breaches continuing to grab headlines, Utah entities should be aware that state law requires them to take measures to protect, secure and dispose of records containing personal information (PI) and to provide notice to individuals if their PI is compromised through a security breach. The Utah Attorney General is charged with enforcing these requirements and may seek substantial monetary damages if they are violated, including fining entities up to $2,500 per violation concerning a specific consumer or $100,000 in the aggregate for a violation concerning more than one consumer.

Perhaps the most notable requirement is that Utah law requires entities (with the exception of certain financial institutions) to implement and maintain “reasonable procedures” to prevent the unlawful use or disclosure of PI. The law defines “personal information” an individual’s first name or first initial and last name combined with a social security number, driver’s license number, state identification card number, or financial account number, credit card or debit card number in combination with any required security code, access code or password that would permit access to a person’s account. In essence, any entity with employee or customer records containing these data elements is subject to this “reasonable procedures” requirement.

Unfortunately, the law does not define what constitutes reasonable procedures. This is not uncommon—many states that have enacted similar legislation have failed to provide such guidance. Therefore, Utah entities should look to analogous laws and regulations such as HIPAA’s Security Rule, the Gramm-Leach Bliley Act’s Safeguards Rule, Massachusetts’ data security regulations, and the New York Department of Financial Services Cybersecurity Regulations. For example, entities may consider preparing written information security and cyber-incident response plans, creating a data map, performing a risk assessment and implementing appropriate employee policies and administrative safeguards, among other things.

Entities that transfer records containing PI to third-party vendors also should consider whether they should require those vendors to implement security measures to protect that information. Frequently, a breach of a third-party vendor’s data storage system creates legal obligations for entities whose employee or customer information resided with that vendor. Entities can mitigate that risk through appropriate contractual terms addressing information security standards, such as requiring third-party vendors to encrypt data in transit (e.g., email) and at rest (e.g., as it is stored on servers), implement access controls, and segregate the data on its system. Entities also can ask third-party providers to indemnify them from any damages caused by a breach. Entities that frequently disclose PI to service providers also should consider creating a vendor questionnaire and form contractual terms to streamline this process and ensure that PI is adequately protected across different service providers.

Utah law also requires entities to destroy, or arrange for the destruction of, records containing PI if those records are not to be retained. Essentially, the law requires entities to shred paper records containing PI and erase or make unreadable electronic records. Utah entities can address this requirement through the creation of an appropriate document-retention schedule. A document-retention schedule also can substantially minimize the risk of harm in the event of a data breach because a malicious actor cannot steal records that the entity no longer possesses.

Finally, Utah law requires entities to notify Utah residents if their PI is subject to a security breach that compromises the security, confidentiality or integrity of the PI. That notice must be provided “in the most expedient time possible without unreasonable delay.” Entities that possess or maintain PI that they do not own (e.g., a payroll vendor or cloud service provider) must “immediately” notify the owner of the information if they suffer a security breach.

Notably, the law does not require notification if the records were encrypted or protected by another method that renders the data unreadable or unusable. That provision is significant because it allows entities to take steps today to encrypt data in transit and at rest to avoid the expense of providing notice if (and when) there is a breach. Considering that providing notice can easily cost tens of thousands of dollars, this is a step that can pay substantial dividends down the road.

Notice also is not required if a good-faith investigation determines that the PI has not been misused and is not reasonably likely to be misused for identity theft or fraud purposes. For example, this could apply if an employee sends an email containing PI to the wrong person but a subsequent investigation shows that the email was not opened and was deleted.

It is worth noting that 47 states other than Utah have statutes that require notice to individuals if their PI is compromised. Those statutes vary widely. For example, some states—such as New Mexico—include biometric information in their definition of PI. State laws also vary on how quickly notice must be provided and what types of information must be included in the notice. Entities that suffer a data breach should consider retaining outside privacy/cybersecurity counsel to conduct an investigation and navigate the legal requirements of providing notice, if necessary.

Ultimately, Utah entities should carefully consider how these laws apply to their specific business and what measures must be taken to ensure compliance.

David M. Stauss leads the privacy and cybersecurity practice group in Ballard Spahr’s Denver office. He advises clients on regulatory and statutory compliance issues, third-party vendor management policies and contractual provisions, cyber liability insurance retention and coverage analysis, information security controls, incident response policies and plans, and data breach response.

Greg Szewczyk is an associate in the Denver office. Zaven A. Sargsian is an associate in the firm’s Salt Lake City office. Both advise clients on privacy and data security matters.