7 LONG TITLE
8 General Description:
9 This bill enacts provisions related to unauthorized access to information technology.
10 Highlighted Provisions:
11 This bill:
12 ▸ provides civil penalties for an individual who, without authorization from a
13 protected computer's owner:
14 • obtains information from the protected computer;
15 • causes the transmission of a program, code, or command to the protected
16 computer; or
17 • traffics in a technological access barrier that could be used to access the
18 protected computer;
19 ▸ defines terms; and
20 ▸ provides that the prevailing party in a civil action under this act is entitled to
21 attorney fees.
22 Money Appropriated in this Bill:
24 Other Special Clauses:
26 Utah Code Sections Affected:
28 63D-3-101, Utah Code Annotated 1953
29 63D-3-102, Utah Code Annotated 1953
30 63D-3-103, Utah Code Annotated 1953
31 63D-3-104, Utah Code Annotated 1953
32 63D-3-105, Utah Code Annotated 1953
33 63D-3-106, Utah Code Annotated 1953
35 Be it enacted by the Legislature of the state of Utah:
36 Section 1. Section 63D-3-101 is enacted to read:
39 63D-3-101. Title.
40 (1) This chapter is known as "Unauthorized Access to Information Technology."
41 (2) This part is known as "Computer Abuse and Data Recovery Act."
42 Section 2. Section 63D-3-102 is enacted to read:
43 63D-3-102. Definitions.
44 As used in this part, the term:
45 (1) "Authorized user" means, for a protected computer:
46 (a) the protected computer's owner; or
47 (b) an individual who has permission to access the protected computer under Section
49 (2) (a) "Computer" means an electronic, magnetic, optical, electrochemical, or other
50 high-speed data processing device that performs logical, arithmetic, or storage functions.
51 (b) "Computer" includes any data storage device, data storage facility, or
52 communications facility that is directly related to or that operates in conjunction with the
53 device described in Subsection (2)(a).
54 (3) (a) "Damage" means, for a protected computer's owner, the cost associated with an
55 individual's unauthorized access to information stored on a protected computer.
56 (b) "Damage" includes:
57 (i) the cost of repairing or restoring a protected computer;
58 (ii) economic damages;
59 (iii) consequential damages, including interruption of service; and
60 (iv) profit by the individual from the unauthorized access to the protected computer.
61 (4) "Harm" means any impairment to the integrity, access, or availability of:
62 (a) data;
63 (b) a program;
64 (c) a system; or
65 (d) information.
66 (5) "Owner" means a person who:
67 (a) owns or leases a protected computer; or
68 (b) owns the information stored in a protected computer.
69 (6) (a) "Protected computer" means a computer that:
70 (i) is used in connection with the operation of a business, state government entity, or
71 political subdivision; and
72 (ii) requires a technological access barrier for an individual to access the computer.
73 (b) "Protected computer" does not include a computer that an individual can access
74 using a technological access barrier that does not, to a reasonable degree of security, effectively
75 control access to the information stored in the computer.
76 (7) "Technological access barrier" means a password, security code, token, key fob,
77 access device, or other digital security measure.
78 (8) "Traffic" means to sell, purchase, or deliver.
79 (9) "Unauthorized user" means an individual who, for a protected computer:
80 (a) is not an authorized user of the protected computer; and
81 (b) accesses the protected computer by:
82 (i) obtaining, without an authorized user's permission, the authorized user's
83 technological access barrier; or
84 (ii) circumventing, without the permission of the protected computer's owner, a
85 technological access barrier on the protected computer.
86 Section 3. Section 63D-3-103 is enacted to read:
87 63D-3-103. Permission to access a protected computer -- Revocation.
88 (1) Subject to Subsections (2) and (3), an individual has permission to access a
89 protected computer if:
90 (a) the individual is a director, officer, employee, agent, or contractor from the
91 protected computer's owner; and
92 (b) the protected computer's owner gave the individual express permission to access
93 the protected computer through a technological access barrier.
94 (2) If a protected computer's owner gives an individual permission to access the
95 protected computer, the permission is valid only to the extent or for the specific purpose the
96 protected computer's owner authorizes.
97 (3) An individual's permission to access a protected computer is revoked if:
98 (a) the protected computer's owner expressly revokes the individual's permission to
99 access the protected computer; or
100 (b) the individual ceases to be a director, officer, employee, agent, or contractor of the
101 protected computer's owner.
102 Section 4. Section 63D-3-104 is enacted to read:
103 63D-3-104. Prohibited acts.
104 (1) An unauthorized user of a protected computer may not, knowingly and with intent
105 to cause harm or damage:
106 (a) obtain information from the protected computer and, as a result, cause harm or
108 (b) cause the transmission of a program, code, or command to the protected computer,
109 and, as a result of the transmission, cause harm or loss; or
110 (c) traffic in any technological access barrier that an unauthorized user could use to
111 access the protected computer.
112 (2) An individual who violates Subsection (1) is liable to a protected computer's owner
113 in a civil action for the remedies described in Section 63D-3-105.
114 Section 5. Section 63D-3-105 is enacted to read:
115 63D-3-105. Remedies.
116 (1) A person who brings a civil action against an individual for a violation of Section
117 63D-3-104 may:
118 (a) recover actual damages, including the person's:
119 (i) lost profits;
120 (ii) economic damages; and
121 (iii) the reasonable cost of remediation efforts related to the violation;
122 (b) recover consequential damages, including for interruption of service;
123 (c) recover, from the individual, the individual's profit obtained through trafficking in
124 anything obtained by the individual through the violation;
125 (d) obtain injunctive or other equitable relief to prevent a future violation of Section
126 63D-3-104; and
127 (e) recover anything the individual obtained through the violation, including:
128 (i) misappropriated information or code;
129 (ii) a misappropriated program; and
130 (iii) any copies of the information, code, or program described in Subsections (1)(e)(i)
131 and (1)(e)(ii).
132 (2) A court shall award reasonable attorney fees to the prevailing party in any action
133 arising under this part.
134 (3) The remedies available for a violation of Section 63D-3-104 are in addition to
135 remedies otherwise available for the same conduct under federal or state law.
136 (4) A person may not file a civil action under Section 63D-3-104 later than three years
137 after the day on which:
138 (a) the violation occurred; or
139 (b) (i) the person discovers the violation; or
140 (ii) the person should have discovered the violation if the person acted with reasonable
141 diligence to discover the violation.
142 Section 6. Section 63D-3-106 is enacted to read:
143 63D-3-106. Exclusions.
144 (1) This section does not prohibit a lawfully authorized investigative, protective, or
145 intelligence activity of a law enforcement agency, regulatory agency, or political subdivision of
146 this state, another state, the United States, or a foreign country.
147 (2) This part does not apply to a provider of:
148 (a) an interactive computer service as defined in 47 U.S.C. Sec. 230(f); or
149 (b) an information service as defined in 47 U.S.C. Sec. 153.
Legislative Review Note
Office of Legislative Research and General Counsel