Mandatory Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts*
Requests for Information
Fines & Penalties
Violations of Breach and Notification Laws:
- $2,500 per consumer, up to $100,000
None to minimal
Breach violations can impose penalties of $2,500 per consumer, up to $100,000. However, if the violation involves over 10,000 Utah residents and over 10,000 consumers who are residents of other states, a greater penalty may be assessed.
The attorney general may enforce the provisions of the Protection of Personal Information Act, including inspection of records. Costs associated with the inspection could be incurred, as well as fines of $500, or a higher amount if $500 is estimated to be insufficient.
The attorney general can seek injunctive relief to prevent future violations.
Educational facilities must implement and maintain a data governance plan and are required to provide employee training on student privacy laws.
There are sector-specific vendor contract requirements for educational entities.*
Educational facilities must provide notification to parents in the event of a breach.
If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
Utah Codes §§ 13-44-101 – 13-44-102 Part 1Protection of Personal Information Act
Utah Codes § 13-44-201 Part 2Protection of Personal Information Act
Utah Code § 13-44-202 Personal Information – Disclosure of system security breach
Utah Code § 13-44-301 Part 3 Protection of Personal Information Act – Enforcement
Utah Codes §§ 53E-9-101 – 53E-9-310 Student Privacy and Data Protection