Mandatory Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect personal information
Written Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach and Notification Laws
$2,500 per consumer, up to $100,000
Third Party Management
None to minimal
The attorney general may enforce the provisions of the Protection of Personal Information Act, including inspection of records. Costs associated with the inspection could be incurred, as well as fines of $500, or a higher amount if $500 is estimated to be insufficient.
The attorney general can seek injunctive relief to prevent future violations.
Educational facilities must implement and maintain a data governance plan and are required to provide employee training on student privacy laws.
Educational facilities must provide notification to parents in the event of a breach.
If vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
Utah Codes §§ 13-44-101 – 13-44-102 Part 1Protection of Personal Information Act (2006)
Utah Codes § 13-44-201 Part 2Protection of Personal Information Act (2006)
Utah Code § 13-44-202 Personal Information – Disclosure of system security breach (2009)
Utah Code § 13-44-301 Part 3 Protection of Personal Information Act (2006) – Enforcement
Utah Codes §§ 53E-9-101 – 53E-9-310 Student Privacy and Data Protection (2018)