Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect personal information
  • Written Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach and Notification Laws
$2,500 per consumer, up to $100,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • The attorney general may enforce the provisions of the Protection of Personal Information Act, including inspection of records.  Costs associated with the inspection could be incurred, as well as fines of $500, or a higher amount if $500 is estimated to be insufficient.
  • The attorney general can seek injunctive relief to prevent future violations.
  • Educational facilities must implement and maintain a data governance plan and are required to provide employee training on student privacy laws.
  • Educational facilities must provide notification to parents in the event of a breach.
  • If vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • Utah Codes §§ 13-44-101 – 13-44-102 Part 1 Protection of Personal Information Act (2006)
  • Utah Codes § 13-44-201 Part 2 Protection of Personal Information Act (2006)
  • Utah Code § 13-44-202 Personal Information – Disclosure of system security breach (2009)
  • Utah Code § 13-44-301  Part 3 Protection of Personal Information Act (2006) – Enforcement
  • Utah Codes §§ 53E-9-101 – 53E-9-310  Student Privacy and Data Protection (2018)
BAck to map