Chief Sponsor: Rebecca Chavez-Houck

Senate Sponsor: Todd Weiler


8     General Description:
9          This bill enacts provisions related to unauthorized access to information technology.
10     Highlighted Provisions:
11          This bill:
12          ▸     provides civil penalties for an individual who, without authorization from a
13     protected computer's owner:
14               •     obtains information from the protected computer;
15               •     causes the transmission of a program, code, or command to the protected
16     computer; or
17               •     traffics in a technological access barrier that could be used to access the
18     protected computer;
19          ▸     defines terms; and
20          ▸     provides that the prevailing party in a civil action under this act is entitled to
21     attorney fees.
22     Money Appropriated in this Bill:
23          None
24     Other Special Clauses:
25          None
26     Utah Code Sections Affected:
27     ENACTS:

28          63D-3-101, Utah Code Annotated 1953
29          63D-3-102, Utah Code Annotated 1953
30          63D-3-103, Utah Code Annotated 1953
31          63D-3-104, Utah Code Annotated 1953
32          63D-3-105, Utah Code Annotated 1953
33          63D-3-106, Utah Code Annotated 1953

35     Be it enacted by the Legislature of the state of Utah:
36          Section 1. Section 63D-3-101 is enacted to read:

Part 1. Computer Abuse and Data Recovery Act

39          63D-3-101. Title.
40          (1) This chapter is known as "Unauthorized Access to Information Technology."
41          (2) This part is known as "Computer Abuse and Data Recovery Act."
42          Section 2. Section 63D-3-102 is enacted to read:
43          63D-3-102. Definitions.
44          As used in this part, the term:
45          (1) "Authorized user" means, for a protected computer:
46          (a) the protected computer's owner; or
47          (b) an individual who has permission to access the protected computer under Section
48     63D-3-103.
49          (2) (a) "Computer" means an electronic, magnetic, optical, electrochemical, or other
50     high-speed data processing device that performs logical, arithmetic, or storage functions.
51          (b) "Computer" includes any data storage device, data storage facility, or
52     communications facility that is directly related to or that operates in conjunction with the
53     device described in Subsection (2)(a).
54          (3) (a) "Damage" means, for a protected computer's owner, the cost associated with an
55     individual's unauthorized access to information stored on a protected computer.
56          (b) "Damage" includes:
57          (i) the cost of repairing or restoring a protected computer;
58          (ii) economic damages;

59          (iii) consequential damages, including interruption of service; and
60          (iv) profit by the individual from the unauthorized access to the protected computer.
61          (4) "Harm" means any impairment to the integrity, access, or availability of:
62          (a) data;
63          (b) a program;
64          (c) a system; or
65          (d) information.
66          (5) "Owner" means a person who:
67          (a) owns or leases a protected computer; or
68          (b) owns the information stored in a protected computer.
69          (6) (a) "Protected computer" means a computer that:
70          (i) is used in connection with the operation of a business, state government entity, or
71     political subdivision; and
72          (ii) requires a technological access barrier for an individual to access the computer.
73          (b) "Protected computer" does not include a computer that an individual can access
74     using a technological access barrier that does not, to a reasonable degree of security, effectively
75     control access to the information stored in the computer.
76          (7) "Technological access barrier" means a password, security code, token, key fob,
77     access device, or other digital security measure.
78          (8) "Traffic" means to sell, purchase, or deliver.
79          (9) "Unauthorized user" means an individual who, for a protected computer:
80          (a) is not an authorized user of the protected computer; and
81          (b) accesses the protected computer by:
82          (i) obtaining, without an authorized user's permission, the authorized user's
83     technological access barrier; or
84          (ii) circumventing, without the permission of the protected computer's owner, a
85     technological access barrier on the protected computer.
86          Section 3. Section 63D-3-103 is enacted to read:
87          63D-3-103. Permission to access a protected computer -- Revocation.
88          (1) Subject to Subsections (2) and (3), an individual has permission to access a
89     protected computer if:

90          (a) the individual is a director, officer, employee, agent, or contractor from the
91     protected computer's owner; and
92          (b) the protected computer's owner gave the individual express permission to access
93     the protected computer through a technological access barrier.
94          (2) If a protected computer's owner gives an individual permission to access the
95     protected computer, the permission is valid only to the extent or for the specific purpose the
96     protected computer's owner authorizes.
97          (3) An individual's permission to access a protected computer is revoked if:
98          (a) the protected computer's owner expressly revokes the individual's permission to
99     access the protected computer; or
100          (b) the individual ceases to be a director, officer, employee, agent, or contractor of the
101     protected computer's owner.
102          Section 4. Section 63D-3-104 is enacted to read:
103          63D-3-104. Prohibited acts.
104          (1) An unauthorized user of a protected computer may not, knowingly and with intent
105     to cause harm or damage:
106          (a) obtain information from the protected computer and, as a result, cause harm or
107     damage;
108          (b) cause the transmission of a program, code, or command to the protected computer,
109     and, as a result of the transmission, cause harm or loss; or
110          (c) traffic in any technological access barrier that an unauthorized user could use to
111     access the protected computer.
112          (2) An individual who violates Subsection (1) is liable to a protected computer's owner
113     in a civil action for the remedies described in Section 63D-3-105.
114          Section 5. Section 63D-3-105 is enacted to read:
115          63D-3-105. Remedies.
116          (1) A person who brings a civil action against an individual for a violation of Section
117     63D-3-104 may:
118          (a) recover actual damages, including the person's:
119          (i) lost profits;
120          (ii) economic damages; and

121          (iii) the reasonable cost of remediation efforts related to the violation;
122          (b) recover consequential damages, including for interruption of service;
123          (c) recover, from the individual, the individual's profit obtained through trafficking in
124     anything obtained by the individual through the violation;
125          (d) obtain injunctive or other equitable relief to prevent a future violation of Section
126     63D-3-104; and
127          (e) recover anything the individual obtained through the violation, including:
128          (i) misappropriated information or code;
129          (ii) a misappropriated program; and
130          (iii) any copies of the information, code, or program described in Subsections (1)(e)(i)
131     and (1)(e)(ii).
132          (2) A court shall award reasonable attorney fees to the prevailing party in any action
133     arising under this part.
134          (3) The remedies available for a violation of Section 63D-3-104 are in addition to
135     remedies otherwise available for the same conduct under federal or state law.
136          (4) A person may not file a civil action under Section 63D-3-104 later than three years
137     after the day on which:
138          (a) the violation occurred; or
139          (b) (i) the person discovers the violation; or
140          (ii) the person should have discovered the violation if the person acted with reasonable
141     diligence to discover the violation.
142          Section 6. Section 63D-3-106 is enacted to read:
143          63D-3-106. Exclusions.
144          (1) This section does not prohibit a lawfully authorized investigative, protective, or
145     intelligence activity of a law enforcement agency, regulatory agency, or political subdivision of
146     this state, another state, the United States, or a foreign country.
147          (2) This part does not apply to a provider of:
148          (a) an interactive computer service as defined in 47 U.S.C. Sec. 230(f); or
149          (b) an information service as defined in 47 U.S.C. Sec. 153.

Legislative Review Note
Office of Legislative Research and General Counsel