Download Zipped Introduced WordPerfect HB0285.ZIP
[Status][Bill Documents][Fiscal Note][Bills Directory]
H.B. 285
1
2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill repeals and reenacts notification requirements when personal information is
10 accessed or acquired by an unauthorized person.
11 Highlighted Provisions:
12 This bill:
13 . amends definitions;
14 . requires that a person who has or maintains a consumer's personal information that
15 is accessed or acquired by an unauthorized person give the consumer notice;
16 . amends civil penalties; and
17 . makes technical corrections.
18 Monies Appropriated in this Bill:
19 None
20 Other Special Clauses:
21 None
22 Utah Code Sections Affected:
23 AMENDS:
24 13-44-102, as enacted by Laws of Utah 2006, Chapter 343
25 13-44-301, as last amended by Laws of Utah 2008, Chapter 29
26 REPEALS AND REENACTS:
27 13-44-202, as enacted by Laws of Utah 2006, Chapter 343
28
29 Be it enacted by the Legislature of the state of Utah:
30 Section 1. Section 13-44-102 is amended to read:
31 13-44-102. Definitions.
32 As used in this chapter:
33 (1) (a) "Breach of system security" means an unauthorized acquisition of
34 [
35 security, confidentiality, or integrity of personal information.
36 (b) "Breach of system security" does not include the acquisition of personal
37 information by an employee or agent of the person possessing [
38 information unless the personal information is used for an unlawful purpose or disclosed in an
39 unauthorized manner.
40 (2) "Consumer" means a natural person.
41 (3) [
42
43
44
45 [
46 [
47 [
48
49 [
50 [
51
52
53 (a) name;
54 (b) birth date;
55 (c) address;
56 (d) telephone number;
57 (e) driver license number;
58 (f) Social Security number;
59 (g) place of employment;
60 (h) employee identification numbers or other personal identification numbers;
61 (i) mother's maiden name;
62 (j) electronic identification numbers;
63 (k) electronic signatures under Title 46, Chapter 4, Uniform Electronic Transactions
64 Act; or
65 (l) any other numbers or information that can be used to access a person's financial
66 resources or medical information.
67 (4) "Record" includes materials maintained in any form, including paper and
68 electronic.
69 Section 2. Section 13-44-202 is repealed and reenacted to read:
70 13-44-202. Personal information -- Disclosure of system security breach.
71 (1) A person who has or maintains a consumer's personal information that has been
72 accessed or acquired by an unauthorized person shall:
73 (a) give notice to the consumer as required by this section; and
74 (b) immediately restore the reasonable integrity of the system breached by the
75 unauthorized person.
76 (2) (a) If the personal information described in Subsection (1) is used or may be used to
77 access a consumer's financial resources, a person shall immediately notify the consumer,
78 subject to legitimate investigative needs of law enforcement described in Subsection (3)(a).
79 (b) If personal information described in Subsection (1) is used or may be used to access
80 a consumer's medical records or Social Security information, the person who has or maintains
81 the information shall give the consumer notice within five business days after discovering that
82 the personal information has been accessed or acquired, subject to legitimate investigative
83 needs of law enforcement described in Subsection (3)(a).
84 (c) If personal information described in Subsection (1) is not subject to Subsection
85 (2)(a) or (b), the person who has or maintains the information shall give the consumer notice
86 within 14 days after discovering that the personal information in Subsection (1) has been
87 accessed or acquired, subject to legitimate investigative needs of law enforcement described in
88 Subsection (3)(a).
89 (3) (a) Notwithstanding Subsection (2), a person may delay providing notification at
90 the request of a law enforcement agency that determines that notification may impede a
91 criminal investigation.
92 (b) A person who delays providing notification pursuant to Subsection (3)(a) shall
93 provide notification in good faith without unreasonable delay in the most expedient time
94 possible after the law enforcement agency informs the person that notification will no longer
95 impede the criminal investigation.
96 (4) (a) Except immediate notification described in Subsection (4)(b), a notification
97 required by this section may be provided:
98 (i) in writing by first-class mail to the most recent address the person has for the
99 resident;
100 (ii) electronically, if the person's primary method of communication with the consumer
101 is by electronic means or if provided in accordance with the consumer disclosure provisions of
102 15 U.S.C. Section 7001;
103 (iii) by telephone, including through the use of automatic dialing technology not
104 prohibited by other law; or
105 (iv) by an identity theft reporting website maintained by the attorney general pursuant
106 to Section 67-5-22 .
107 (b) An immediate notification required by this section may be provided:
108 (i) by issuing a press release and notification through an identity theft reporting website
109 maintained by the attorney general pursuant to Section 67-5-22 ;
110 (ii) electronically, if the person's primary method of communication with the consumer
111 is by electronic means or if provided in accordance with the consumer disclosure provisions of
112 15 U.S.C. Section 7001; or
113 (iii) by telephone, including through the use of automatic dialing technology not
114 prohibited by law.
115 (c) A notification shall include:
116 (i) a detailed description of what personal information was accessed or acquired;
117 (ii) the level of encryption that was in effect at the time the personal information was
118 accessed or acquired;
119 (iii) the level of encryption of a pass phrase or password that authorized access to the
120 personal information;
121 (iv) a description of how the security system was breached;
122 (v) if known, an explanation of whether the security system breach was an internal or
123 external breach; and
124 (vi) a disclosure of the number of people whose personal information was or may be
125 accessed or acquired because of the security system breach.
126 (5) A waiver of this section is contrary to public policy and is void and unenforceable.
127 Section 3. Section 13-44-301 is amended to read:
128 13-44-301. Enforcement.
129 (1) The attorney general may enforce this chapter's provisions.
130 (2) (a) Nothing in this chapter creates a private right of action.
131 (b) Nothing in this chapter affects any private right of action existing under other law,
132 including contract or tort.
133 (3) A person who violates this chapter's provisions is subject to a civil fine of:
134 [
135
136 (a) $1,000 for each day a consumer is not provided notice as required under this
137 chapter; and
138 (b) no greater than [
139 concerning more than one consumer.
140 (4) In addition to the penalties provided in Subsection (3), the attorney general may
141 seek injunctive relief to prevent future violations of this chapter in:
142 (a) the district court located in Salt Lake City; or
143 (b) the district court for the district in which resides a consumer who is affected by the
144 violation.
145 (5) In enforcing this chapter, the attorney general may:
146 (a) investigate the actions of any person alleged to violate Section 13-44-201 or
147 13-44-202 ;
148 (b) subpoena a witness;
149 (c) subpoena a document or other evidence;
150 (d) require the production of books, papers, contracts, records, or other information
151 relevant to an investigation; and
152 (e) conduct an adjudication in accordance with Title 63G, Chapter 4, Administrative
153 Procedures Act, to enforce a civil provision under this chapter.
154 (6) A subpoena issued under Subsection (5) may be served by certified mail.
155 (7) A person's failure to respond to a request or subpoena from the attorney general
156 under Subsection (5)(b), (c), or (d) is a violation of this chapter.
157 (8) (a) The attorney general may inspect and copy all records related to the business
158 conducted by the person alleged to have violated this chapter, including records located outside
159 the state.
160 (b) For records located outside of the state, the person who is found to have violated
161 this chapter shall pay the attorney general's expenses to inspect the records, including travel
162 costs.
163 (c) Upon notification from the attorney general of the attorney general's intent to
164 inspect records located outside of the state, the person who is found to have violated this
165 chapter shall pay the attorney general $500, or a higher amount if $500 is estimated to be
166 insufficient, to cover the attorney general's expenses to inspect the records.
167 (d) The attorney general shall deposit any amounts received under this Subsection (8)
168 in the Attorney General Litigation Fund established in Section 76-10-922 .
169 (e) To the extent an amount paid to the attorney general by a person who is found to
170 have violated this chapter is not expended by the attorney general, the amount shall be refunded
171 to the person who is found to have violated this chapter.
172 (f) The Division of Corporations and Commercial Code or any other relevant entity
173 shall revoke any authorization to do business in this state of a person who fails to pay any
174 amount required under this Subsection (8).
Legislative Review Note
as of 1-22-09 12:48 PM