Download Zipped Introduced WordPerfect SB0069S03.ZIP
[Status][Bill Documents][Fiscal Note][Bills Directory]
Third Substitute S.B. 69
1
2
3
4
5
6
7
8 LONG TITLE
9 General Description:
10 This bill addresses the integrity of consumer credit databases.
11 Highlighted Provisions:
12 This bill:
13 . defines terms;
14 . requires a person maintaining personal information in connection with a business to
15 implement procedures to protect personal information;
16 . requires destruction of certain records;
17 . requires disclosure of breaches of databases containing personal information; and
18 . provides for enforcement by the attorney general.
19 Monies Appropriated in this Bill:
20 This bill appropriates from the General Fund to the attorney general:
21 . as an ongoing appropriation subject to future budget constraints, $89,400 for fiscal
22 year 2006-07; and
23 . $23,000 for fiscal year 2006-07 only.
24 Other Special Clauses:
25 This bill takes effect on January 1, 2007.
26 Utah Code Sections Affected:
27 ENACTS:
28 13-42-101, Utah Code Annotated 1953
29 13-42-102, Utah Code Annotated 1953
30 13-42-201, Utah Code Annotated 1953
31 13-42-202, Utah Code Annotated 1953
32 13-42-301, Utah Code Annotated 1953
33
34 Be it enacted by the Legislature of the state of Utah:
35 Section 1. Section 13-42-101 is enacted to read:
36
37
38 13-42-101. Title.
39 This chapter is known as the "Consumer Credit Protection Act."
40 Section 2. Section 13-42-102 is enacted to read:
41 13-42-102. Definitions.
42 As used in this chapter:
43 (1) (a) "Breach of system security" means an unauthorized acquisition of unencrypted
44 computerized data maintained by a person that compromises the security, confidentiality, or
45 integrity of personal information.
46 (b) "Breach of system security" does not include the acquisition of personal
47 information by an employee or agent of the person possessing unencrypted computerized data
48 unless the personal information is used or disclosed in an unauthorized manner.
49 (2) "Consumer" means a natural person.
50 (3) (a) "Personal information" means a person's first name or first initial and last name,
51 combined with any one or more of the following data elements relating to that person when
52 either the name or date element is unencrypted or not protected by another method that renders
53 the data unreadable or unusable:
54 (i) Social Security number;
55 (ii) (A) financial account number, or credit or debit card number; and
56 (B) any required security code, access code, or password that would permit access to
57 the person's account; or
58 (iii) driver license number or state identification card number.
59 (b) "Personal information" does not include information regardless of its source,
60 contained in federal, state, or local government records or in widely distributed media that are
61 lawfully made available to the general public.
62 (4) "Record" includes materials maintained in any form, including paper and
63 electronic.
64 Section 3. Section 13-42-201 is enacted to read:
65
66 13-42-201. Protection of personal information.
67 (1) Any person who conducts business in the state and maintains personal information
68 shall implement and maintain reasonable procedures to:
69 (a) prevent unlawful use or disclosure of personal information collected or maintained
70 in the regular course of business; and
71 (b) destroy, or arrange for the destruction of, records containing personal information
72 that are not to be retained by the person.
73 (2) The destruction of records under Subsection (1)(b) shall be by:
74 (a) shredding;
75 (b) erasing; or
76 (c) otherwise modifying the personal information to make the information
77 indecipherable.
78 (3) This section does not apply to a financial institution as defined by 15 U.S.C.
79 Section 6809.
80 Section 4. Section 13-42-202 is enacted to read:
81 13-42-202. Personal information -- Disclosure of system security breach.
82 (1) (a) A person who owns or licenses computerized data that includes personal
83 information concerning a Utah resident shall, when the person becomes aware of a breach of
84 system security, conduct in good faith a reasonable and prompt investigation to determine the
85 likelihood that personal information has been or will be misused for identity fraud or theft
86 purposes.
87 (b) If an investigation under Subsection (1)(a) reveals that the misuse of personal
88 information for identity fraud or theft purposes has occurred, or is reasonably likely to occur,
89 the person shall provide notification to each affected Utah resident.
90 (2) A person required to provide notification under Subsection (1) shall provide the
91 notification in the most expedient time possible without unreasonable delay:
92 (a) considering legitimate investigative needs of law enforcement, as provided in
93 Subsection (4)(a);
94 (b) after determining the scope of the breach of system security; and
95 (c) after restoring the reasonable integrity of the system.
96 (3) (a) A person who maintains computerized data that includes personal information
97 that the person does not own or license shall notify and cooperate with the owner or licensee of
98 the information of any breach of system security immediately following the person's discovery
99 of the breach if misuse of the personal information occurs or is reasonably likely to occur.
100 (b) Cooperation under Subsection (3)(a) includes sharing information relevant to the
101 breach with the owner or licensee of the information.
102 (4) (a) Notwithstanding Subsection (2), a person may delay providing notification
103 under Subsection (1) at the request of a law enforcement agency that determines that
104 notification may impede a criminal investigation.
105 (b) A person who delays providing notification under Subsection (4)(a) shall provide
106 notification in good faith without unreasonable delay in the most expedient time possible after
107 the law enforcement agency informs the person that notification will no longer impede the
108 criminal investigation.
109 (5) (a) A notification required by this section may be provided:
110 (i) in writing by first-class mail;
111 (ii) electronically, if provided in accordance with the consumer disclosure provisions of
112 15 U.S.C. Section 7001;
113 (iii) by telephone, including through the use of automatic dialing technology not
114 prohibited by other law; or
115 (iv) by publishing notice of the breach of system security in a newspaper of general
116 circulation.
117 (b) If a person maintains the person's own notification procedures as part of an
118 information security policy for the treatment of personal information the person is considered
119 to be in compliance with this chapter's notification requirements if the procedures are otherwise
120 consistent with this chapter's timing requirements and the person notifies each affected Utah
121 resident in accordance with the person's information security policy in the event of a breach.
122 (c) A person who is regulated by state or federal law and maintains procedures for a
123 breach of system security under applicable law established by the primary state or federal
124 regulator is considered to be in compliance with this part if the person notifies each affected
125 Utah resident in accordance with the other applicable law in the event of a breach.
126 (6) A waiver of this section is contrary to public policy and is void and unenforceable.
127 Section 5. Section 13-42-301 is enacted to read:
128
129 13-42-301. Enforcement.
130 (1) The attorney general may enforce this chapter's provisions.
131 (2) (a) Nothing in this chapter creates a private right of action.
132 (b) Nothing in this chapter affects any private right of action existing under other law,
133 including contract or tort.
134 (3) A person who violates this chapter's provisions is subject to a civil fine of:
135 (a) no greater than $2,500 for a violation or series of violations concerning a specific
136 consumer; and
137 (b) no greater than $100,000 in the aggregate for related violations concerning more
138 than one consumer.
139 (4) In addition to the penalties provided in Subsection (3), the attorney general may
140 seek injunctive relief to prevent future violations of this chapter in:
141 (a) the district court located in Salt Lake City; or
142 (b) the district court for the district in which resides a consumer who is affected by the
143 violation.
144 Section 6. Appropriation.
145 (1) There is appropriated from the General Fund to the attorney general:
146 (a) as an ongoing appropriation, subject to future budget constraints, $89,400 for fiscal
147 year 2006-07; and
148 (b) $23,000 for fiscal year 2006-07 only.
149 (2) It is the intent of the Legislature that:
150 (a) the monies appropriated under Subsection (1)(a) be used to fund investigatory
151 activities that may lead to an enforcement action by the attorney general under Section
152 13-42-301 ; and
153 (b) the monies appropriated under Subsection (1)(b) be used to purchase equipment
154 required for investigatory activities that may lead to an enforcement action by the attorney
155 general under Section 13-42-301 .
156 Section 7. Effective date.
157 This bill takes effect on January 1, 2007.
[Bill Documents][Bills Directory]