7 Patrice M. Arent
8 Scott H. Chew
9 Kay J. Christofferson
10 Keith Grover
Stephen G. Handy
Lynn N. Hemingway
Brian S. King
V. Lowry Snow
Keven J. Stratton
Earl D. Tanner
12 LONG TITLE
13 General Description:
14 This bill enacts provisions related to unauthorized access to information technology.
15 Highlighted Provisions:
16 This bill:
17 ▸ provides civil penalties for an individual who, without authorization from a
18 protected computer's owner:
19 • obtains information from the protected computer;
20 • causes the transmission of a program, code, or command to the protected
21 computer; or
22 • traffics in a technological access barrier that could be used to access the
23 protected computer;
24 ▸ defines terms; and
25 ▸ provides that the prevailing party in a civil action under this act is entitled to
26 attorney fees.
27 Money Appropriated in this Bill:
29 Other Special Clauses:
31 Utah Code Sections Affected:
33 63D-3-101, Utah Code Annotated 1953
34 63D-3-102, Utah Code Annotated 1953
35 63D-3-103, Utah Code Annotated 1953
36 63D-3-104, Utah Code Annotated 1953
37 63D-3-105, Utah Code Annotated 1953
38 63D-3-106, Utah Code Annotated 1953
40 Be it enacted by the Legislature of the state of Utah:
41 Section 1. Section 63D-3-101 is enacted to read:
44 63D-3-101. Title.
45 (1) This chapter is known as "Unauthorized Access to Information Technology."
46 (2) This part is known as "Computer Abuse and Data Recovery Act."
47 Section 2. Section 63D-3-102 is enacted to read:
48 63D-3-102. Definitions.
49 As used in this part, the term:
50 (1) "Authorized user" means, for a protected computer:
51 (a) the protected computer's owner; or
52 (b) an individual who has permission to access the protected computer under Section
54 (2) (a) "Computer" means an electronic, magnetic, optical, electrochemical, or other
55 high-speed data processing device that performs logical, arithmetic, or storage functions.
56 (b) "Computer" includes any data storage device, data storage facility, or
57 communications facility that is directly related to or that operates in conjunction with the
58 device described in Subsection (2)(a).
59 (3) (a) "Damage" means, for a protected computer's owner, the cost associated with an
60 individual's unauthorized access to information stored on a protected computer.
61 (b) "Damage" includes:
62 (i) the cost of repairing or restoring a protected computer;
63 (ii) economic damages;
64 (iii) consequential damages, including interruption of service; and
65 (iv) profit by the individual from the unauthorized access to the protected computer.
66 (4) "Harm" means any impairment to the integrity, access, or availability of:
67 (a) data;
68 (b) a program;
69 (c) a system; or
70 (d) information.
71 (5) "Owner" means a person who:
72 (a) owns or leases a protected computer; or
73 (b) owns the information stored in a protected computer.
74 (6) (a) "Protected computer" means a computer that:
75 (i) is used in connection with the operation of a business, state government entity, or
76 political subdivision; and
77 (ii) requires a technological access barrier for an individual to access the computer.
78 (b) "Protected computer" does not include a computer that an individual can access
79 using a technological access barrier that does not, to a reasonable degree of security, effectively
80 control access to the information stored in the computer.
81 (7) "Technological access barrier" means a password, security code, token, key fob,
82 access device, or other digital security measure.
83 (8) "Traffic" means to sell, purchase, or deliver.
84 (9) "Unauthorized user" means an individual who, for a protected computer:
85 (a) is not an authorized user of the protected computer; and
86 (b) accesses the protected computer by:
87 (i) obtaining, without an authorized user's permission, the authorized user's
88 technological access barrier; or
89 (ii) circumventing, without the permission of the protected computer's owner, a
90 technological access barrier on the protected computer.
91 Section 3. Section 63D-3-103 is enacted to read:
92 63D-3-103. Permission to access a protected computer -- Revocation.
93 (1) Subject to Subsections (2) and (3), an individual has permission to access a
94 protected computer if:
95 (a) the individual is a director, officer, employee, agent, or contractor of the protected
96 computer's owner; and
97 (b) the protected computer's owner gave the individual express permission to access
98 the protected computer through a technological access barrier.
99 (2) If a protected computer's owner gives an individual permission to access the
100 protected computer, the permission is valid only to the extent or for the specific purpose the
101 protected computer's owner authorizes.
102 (3) An individual's permission to access a protected computer is revoked if:
103 (a) the protected computer's owner expressly revokes the individual's permission to
104 access the protected computer; or
105 (b) the individual ceases to be a director, officer, employee, agent, or contractor of the
106 protected computer's owner.
107 Section 4. Section 63D-3-104 is enacted to read:
108 63D-3-104. Prohibited acts.
109 (1) An unauthorized user of a protected computer may not, knowingly and with intent
110 to cause harm or damage:
111 (a) obtain information from the protected computer and, as a result, cause harm or
113 (b) cause the transmission of a program, code, or command to the protected computer,
114 and, as a result of the transmission, cause harm or loss; or
115 (c) traffic in any technological access barrier that an unauthorized user could use to
116 access the protected computer.
117 (2) An individual who violates Subsection (1) is liable to a protected computer's owner
118 in a civil action for the remedies described in Section 63D-3-105.
119 Section 5. Section 63D-3-105 is enacted to read:
120 63D-3-105. Remedies.
121 (1) A person who brings a civil action against an individual for a violation of Section
122 63D-3-104 may:
123 (a) recover actual damages, including the person's:
124 (i) lost profits;
125 (ii) economic damages; and
126 (iii) reasonable cost of remediation efforts related to the violation;
127 (b) recover consequential damages, including for interruption of service;
128 (c) recover, from the individual, the individual's profit obtained through trafficking in
129 anything obtained by the individual through the violation;
130 (d) obtain injunctive or other equitable relief to prevent a future violation of Section
131 63D-3-104; and
132 (e) recover anything the individual obtained through the violation, including:
133 (i) misappropriated information or code;
134 (ii) a misappropriated program; and
135 (iii) any copies of the information, code, or program described in Subsections (1)(e)(i)
136 and (1)(e)(ii).
137 (2) A court shall award reasonable attorney fees to the prevailing party in any action
138 arising under this part.
139 (3) The remedies available for a violation of Section 63D-3-104 are in addition to
140 remedies otherwise available for the same conduct under federal or state law.
141 (4) A person may not file a civil action under Section 63D-3-104 later than three years
142 after the day on which:
143 (a) the violation occurred; or
144 (b) (i) the person discovers the violation; or
145 (ii) the person should have discovered the violation if the person acted with reasonable
146 diligence to discover the violation.
147 Section 6. Section 63D-3-106 is enacted to read:
148 63D-3-106. Exclusions.
149 (1) This section does not prohibit a lawfully authorized investigative, protective, or
150 intelligence activity of a law enforcement agency, regulatory agency, or political subdivision of
151 this state, another state, the United States, or a foreign country.
152 (2) This part does not apply to a provider of:
153 (a) an interactive computer service as defined in 47 U.S.C. Sec. 230(f); or
154 (b) an information service as defined in 47 U.S.C. Sec. 153.