Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts*
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach and Notification Laws:
- $2,500 per consumer, up to $100,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach violations can impose penalties of $2,500 per consumer, up to $100,000. However, if the violation involves over 10,000 Utah residents and over 10,000 consumers who are residents of other states, a greater penalty may be assessed.
  • The attorney general may enforce the provisions of the Protection of Personal Information Act, including inspection of records.  Costs associated with the inspection could be incurred, as well as fines of $500, or a higher amount if $500 is estimated to be insufficient.
  • The attorney general can seek injunctive relief to prevent future violations.
  • Educational facilities must implement and maintain a data governance plan and are required to provide employee training on student privacy laws.
  • There are sector-specific vendor contract requirements for educational entities.*
  • Educational facilities must provide notification to parents in the event of a breach.
  • If a vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • Utah Codes §§ 13-44-101 – 13-44-102 Part 1 Protection of Personal Information Act
  • Utah Codes § 13-44-201 Part 2 Protection of Personal Information Act
  • Utah Code § 13-44-202 Personal Information – Disclosure of system security breach
  • Utah Code § 13-44-301  Part 3 Protection of Personal Information Act – Enforcement
  • Utah Codes §§ 53E-9-101 – 53E-9-310  Student Privacy and Data Protection
BAck to map