LOGIN Request a call


Utah Amends Data Breach Reporting Requirements

04 Jul



Update Applicable to:Effective date
All covered entitiesMay 1, 2024

What happened?

On March 19, 2024, Utah’s Governor Spencer J. Cox signed Senate Bill (SB) 98 (the “Bill”), Online Data Security and Privacy Amendments, into law. The Bill amends the Protection of Personal Information Act (§13-44-101 et seq) and the Utah Technology Governance Act in the Utah Government Operations Code (§63A-16-1101 et seq).

What are the details?

The Background

  • Utah’s cybersecurity law requires businesses to safeguard personal data. If an organization that owns or maintains the personal information of a Utah resident becomes aware of a breach of system security, the organization must investigate to determine if the personal information has been or will be misused.
  • If misuse has occurred or is likely to occur, the organization must notify every affected Utah resident.
  • If the breach affects 500 or more residents, notifications must be sent to the Utah Attorney General and Cyber Center.
  • The Utah Cyber Center collaborates with state, local, and federal entities to enhance security and combat cyber threats.

Key Bites of the Amendments

  • Reiterate that the disclosure of a breach may be confidential and classified as a protected record.
  • Define “personal data” as “information that is linked to or can reasonably be linked to an identified individual or an identifiable individual”.
  • Defines “data breach”.
  • The Utah Cyber Center and the Reporting to the Cyber Center, Assistance to governmental
  • Entities and records are renumbered and amended.
  • Require reporting entities to include additional information on the notification regarding a “breach of system security” provided to the Attorney General and Utah Cyber Center must include, if known or available:
    • the date the breach occurred;
    • the date the breach was discovered;
    • the total number of individuals affected, including the total number of Utah residents;
    • the type of personal information involved; and
    • a short description of the breach that occurred.

For a good breakdown click here.

Business Considerations

  • Employers must update their policies and procedures to comply appropriately with the new requirements, especially the ones regarding data collection and notification of data breaches.
  • Employers should update their data privacy policies.
  • Employers should consider investing in training regarding data protection and how to proceed if a breach of information happens.
  • Employers should establish a robust feedback system for regular performance reviews and encourage open communication.
  • Employers should implement robust security measures to prevent unlawful use or disclosure of personal information.
  • Employers should be prepared to work with the Utah Cyber Center, which may assist in conducting an internal investigation, determining the scope of the data breach, restoring the integrity of the compromised system, and providing other necessary support.

Source References


Need help understanding how changes to employment laws will affect your business?

Learn more about how Vensure's Utah PEO services can help you navigate complex employment laws and keep your business compliant.

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.

Keep Your Business Compliant

Fill out the form below to receive monthly Employment Law Updates right in your inbox.

Keep Your Business Compliant

Fill out the form below to receive monthly Employment Law Updates right in your inbox.


You're all set.

Thanks for subscribing. Be on the look out for the Legal HR updates in your email.

Tracking Convertion image