1     
ATTORNEY GENERAL ENFORCEMENT AMENDMENTS

2     
2019 GENERAL SESSION

3     
STATE OF UTAH

4     
Chief Sponsor: Lyle W. Hillyard

5     
House Sponsor: V. Lowry Snow

6     

7     LONG TITLE
8     General Description:
9          This bill amends provisions enforced by the attorney general.
10     Highlighted Provisions:
11          This bill:
12          ▸     modifies the applicability of the Protection of Personal Information Act;
13          ▸     amends the penalty for a violation of the Protection of Personal Information Act or
14     the Consumer Credit Protection Act;
15          ▸     establishes a statute of limitations for an enforcement action under the Protection of
16     Personal Information Act or the Consumer Credit Protection Act;
17          ▸     allows funds in the Attorney General Litigation Fund to be used for education and
18     outreach on certain matters;
19          ▸     modifies the available remedies in an action under the Utah Antitrust Act; and
20          ▸     makes technical and conforming changes.
21     Money Appropriated in this Bill:
22          None
23     Other Special Clauses:
24          None
25     Utah Code Sections Affected:
26     AMENDS:
27          13-44-102, as enacted by Laws of Utah 2006, Chapter 343
28          13-44-201, as enacted by Laws of Utah 2006, Chapter 343
29          13-44-202, as last amended by Laws of Utah 2009, Chapter 388

30          13-44-301, as last amended by Laws of Utah 2017, Chapter 308
31          13-45-401, as last amended by Laws of Utah 2017, Chapter 308
32          76-10-3108, as renumbered and amended by Laws of Utah 2013, Chapter 187
33          76-10-3109, as last amended by Laws of Utah 2013, Chapter 278 and renumbered and
34     amended by Laws of Utah 2013, Chapter 187
35          76-10-3114, as last amended by Laws of Utah 2013, Chapter 400 and renumbered and
36     amended by Laws of Utah 2013, Chapter 187
37     ENACTS:
38          13-44-103, Utah Code Annotated 1953
39     

40     Be it enacted by the Legislature of the state of Utah:
41          Section 1. Section 13-44-102 is amended to read:
42          13-44-102. Definitions.
43          As used in this chapter:
44          (1) (a) "Breach of system security" means an unauthorized acquisition of computerized
45     data maintained by a person that compromises the security, confidentiality, or integrity of
46     personal information.
47          (b) "Breach of system security" does not include the acquisition of personal
48     information by an employee or agent of the person possessing unencrypted computerized data
49     unless the personal information is used for an unlawful purpose or disclosed in an unauthorized
50     manner.
51          (2) "Consumer" means a natural person.
52          (3) "Financial institution" means the same as that term is defined in 15 U.S.C. Sec.
53     6809.
54          [(3)] (4) (a) "Personal information" means a person's first name or first initial and last
55     name, combined with any one or more of the following data elements relating to that person
56     when either the name or date element is unencrypted or not protected by another method that
57     renders the data unreadable or unusable:

58          (i) Social Security number;
59          (ii) (A) financial account number, or credit or debit card number; and
60          (B) any required security code, access code, or password that would permit access to
61     the person's account; or
62          (iii) driver license number or state identification card number.
63          (b) "Personal information" does not include information regardless of its source,
64     contained in federal, state, or local government records or in widely distributed media that are
65     lawfully made available to the general public.
66          [(4)] (5) "Record" includes materials maintained in any form, including paper and
67     electronic.
68          Section 2. Section 13-44-103 is enacted to read:
69          13-44-103. Applicability.
70          This chapter does not apply to a financial institution or an affiliate, as defined in 15
71     U.S.C. Sec. 6809, of a financial institution.
72          Section 3. Section 13-44-201 is amended to read:
73          13-44-201. Protection of personal information.
74          (1) Any person who conducts business in the state and maintains personal information
75     shall implement and maintain reasonable procedures to:
76          (a) prevent unlawful use or disclosure of personal information collected or maintained
77     in the regular course of business; and
78          (b) destroy, or arrange for the destruction of, records containing personal information
79     that are not to be retained by the person.
80          (2) The destruction of records under Subsection (1)(b) shall be by:
81          (a) shredding;
82          (b) erasing; or
83          (c) otherwise modifying the personal information to make the information
84     indecipherable.
85          [(3) This section does not apply to a financial institution as defined by 15 U.S.C.

86     Section 6809.]
87          Section 4. Section 13-44-202 is amended to read:
88          13-44-202. Personal information -- Disclosure of system security breach.
89          (1) (a) A person who owns or licenses computerized data that includes personal
90     information concerning a Utah resident shall, when the person becomes aware of a breach of
91     system security, conduct in good faith a reasonable and prompt investigation to determine the
92     likelihood that personal information has been or will be misused for identity theft or fraud
93     purposes.
94          (b) If an investigation under Subsection (1)(a) reveals that the misuse of personal
95     information for identity theft or fraud purposes has occurred, or is reasonably likely to occur,
96     the person shall provide notification to each affected Utah resident.
97          (2) A person required to provide notification under Subsection (1) shall provide the
98     notification in the most expedient time possible without unreasonable delay:
99          (a) considering legitimate investigative needs of law enforcement, as provided in
100     Subsection (4)(a);
101          (b) after determining the scope of the breach of system security; and
102          (c) after restoring the reasonable integrity of the system.
103          (3) (a) A person who maintains computerized data that includes personal information
104     that the person does not own or license shall notify and cooperate with the owner or licensee of
105     the information of any breach of system security immediately following the person's discovery
106     of the breach if misuse of the personal information occurs or is reasonably likely to occur.
107          (b) Cooperation under Subsection (3)(a) includes sharing information relevant to the
108     breach with the owner or licensee of the information.
109          (4) (a) Notwithstanding Subsection (2), a person may delay providing notification
110     under Subsection (1) at the request of a law enforcement agency that determines that
111     notification may impede a criminal investigation.
112          (b) A person who delays providing notification under Subsection (4)(a) shall provide
113     notification in good faith without unreasonable delay in the most expedient time possible after

114     the law enforcement agency informs the person that notification will no longer impede the
115     criminal investigation.
116          (5) (a) A notification required by this section may be provided:
117          (i) in writing by first-class mail to the most recent address the person has for the
118     resident;
119          (ii) electronically, if the person's primary method of communication with the resident is
120     by electronic means, or if provided in accordance with the consumer disclosure provisions of
121     15 U.S.C. Section 7001;
122          (iii) by telephone, including through the use of automatic dialing technology not
123     prohibited by other law; or
124          (iv) for residents of the state for whom notification in a manner described in
125     Subsections (5)(a)(i) through (iii) is not feasible, by publishing notice of the breach of system
126     security:
127          (A) in a newspaper of general circulation; and
128          (B) as required in Section 45-1-101.
129          (b) If a person maintains the person's own notification procedures as part of an
130     information security policy for the treatment of personal information the person is considered
131     to be in compliance with this chapter's notification requirements if the procedures are otherwise
132     consistent with this chapter's timing requirements and the person notifies each affected Utah
133     resident in accordance with the person's information security policy in the event of a breach.
134          (c) A person who is regulated by state or federal law and maintains procedures for a
135     breach of system security under applicable law established by the primary state or federal
136     regulator is considered to be in compliance with this part if the person notifies each affected
137     Utah resident in accordance with the other applicable law in the event of a breach.
138          (6) A waiver of this section is contrary to public policy and is void and unenforceable.
139          Section 5. Section 13-44-301 is amended to read:
140          13-44-301. Enforcement -- Confidentiality agreement -- Penalties.
141          (1) The attorney general may enforce this chapter's provisions.

142          (2) (a) Nothing in this chapter creates a private right of action.
143          (b) Nothing in this chapter affects any private right of action existing under other law,
144     including contract or tort.
145          (3) A person who violates this chapter's provisions is subject to a civil penalty of:
146          (a) no greater than $2,500 for a violation or series of violations concerning a specific
147     consumer; and
148          (b) no greater than $100,000 in the aggregate for related violations concerning more
149     than one consumer[.], unless:
150          (i) the violations concern:
151          (A) 10,000 or more consumers who are residents of the state; and
152          (B) 10,000 or more consumers who are residents of other states; or
153          (ii) the person agrees to settle for a greater amount.
154          (4) (a) In addition to the penalties provided in Subsection (3), the attorney general may
155     seek, in an action brought under this chapter:
156          (i) injunctive relief to prevent future violations of this chapter; and
157          (ii) attorney fees and costs.
158          (b) The attorney general shall bring an action under this chapter in:
159          (i) the district court located in Salt Lake City; or
160          (ii) the district court for the district in which resides a consumer who is affected by the
161     violation.
162          (5) The attorney general shall deposit any amount received under Subsection (3), (4),
163     or (10) into the Attorney General Litigation Fund created in Section 76-10-3114.
164          (6) In enforcing this chapter, the attorney general may:
165          (a) investigate the actions of any person alleged to violate Section 13-44-201 or
166     13-44-202;
167          (b) subpoena a witness;
168          (c) subpoena a document or other evidence;
169          (d) require the production of books, papers, contracts, records, or other information

170     relevant to an investigation;
171          (e) conduct an adjudication in accordance with Title 63G, Chapter 4, Administrative
172     Procedures Act, to enforce a civil provision under this chapter; and
173          (f) enter into a confidentiality agreement in accordance with Subsection (7).
174          (7) (a) If the attorney general has reasonable cause to believe that an individual is in
175     possession, custody, or control of information that is relevant to enforcing this chapter, the
176     attorney general may enter into a confidentiality agreement with the individual.
177          (b) In a civil action brought under this chapter, a court may issue a confidentiality order
178     that incorporates the confidentiality agreement described in Subsection (7)(a).
179          (c) A confidentiality agreement entered into under Subsection (7)(a) or a
180     confidentiality order issued under Subsection (7)(b) may:
181          (i) address a procedure;
182          (ii) address testimony taken, a document produced, or material produced under this
183     section;
184          (iii) provide whom may access testimony taken, a document produced, or material
185     produced under this section;
186          (iv) provide for safeguarding testimony taken, a document produced, or material
187     produced under this section; or
188          (v) require that the attorney general:
189          (A) return a document or material to an individual; or
190          (B) notwithstanding Section 63A-12-105 or a retention schedule created in accordance
191     with Section 63G-2-604, destroy the document or material at a designated time.
192          (8) A subpoena issued under Subsection (6) may be served by certified mail.
193          (9) A person's failure to respond to a request or subpoena from the attorney general
194     under Subsection (6)(b), (c), or (d) is a violation of this chapter.
195          (10) (a) The attorney general may inspect and copy all records related to the business
196     conducted by the person alleged to have violated this chapter, including records located outside
197     the state.

198          (b) For records located outside of the state, the person who is found to have violated
199     this chapter shall pay the attorney general's expenses to inspect the records, including travel
200     costs.
201          (c) Upon notification from the attorney general of the attorney general's intent to
202     inspect records located outside of the state, the person who is found to have violated this
203     chapter shall pay the attorney general $500, or a higher amount if $500 is estimated to be
204     insufficient, to cover the attorney general's expenses to inspect the records.
205          (d) To the extent an amount paid to the attorney general by a person who is found to
206     have violated this chapter is not expended by the attorney general, the amount shall be refunded
207     to the person who is found to have violated this chapter.
208          (e) The Division of Corporations and Commercial Code or any other relevant entity
209     shall revoke any authorization to do business in this state of a person who fails to pay any
210     amount required under this Subsection (10).
211          (11) (a) Subject to Subsection (11)(c), the attorney general shall keep confidential a
212     procedure agreed to, testimony taken, a document produced, or material produced under this
213     section pursuant to a subpoena, confidentiality agreement, or confidentiality order, unless the
214     individual who agreed to the procedure, provided testimony, produced the document, or
215     produced material waives confidentiality in writing.
216          (b) Subject to Subsections (11)(c) and (11)(d), the attorney general may use, in an
217     enforcement action taken under this section, testimony taken, a document produced, or material
218     produced under this section to the extent the use is not restricted or prohibited by a
219     confidentiality agreement or a confidentiality order.
220          (c) The attorney general may use, in an enforcement action taken under this section,
221     testimony taken, a document produced, or material produced under this section that is restricted
222     or prohibited from use by a confidentiality agreement or a confidentiality order if the individual
223     who provided testimony or produced the document or material waives the restriction or
224     prohibition in writing.
225          (d) The attorney general may disclose testimony taken, a document produced, or

226     material produced under this section, without consent of the individual who provided the
227     testimony or produced the document or material, or the consent of an individual being
228     investigated, to:
229          (i) a grand jury; or
230          (ii) a federal or state law enforcement officer, if the person from whom the information
231     was obtained is notified 20 days or greater before the day on which the information is
232     disclosed, and the federal or state law enforcement officer certifies that the federal or state law
233     enforcement officer will:
234          (A) maintain the confidentiality of the testimony, document, or material; and
235          (B) use the testimony, document, or material solely for an official law enforcement
236     purpose.
237          (12) (a) An administrative action filed under this chapter shall be commenced no later
238     than 10 years after the day on which the alleged breach of system security last occurred.
239          (b) A civil action under this chapter shall be commenced no later than five years after
240     the day on which the alleged breach of system security last occurred.
241          Section 6. Section 13-45-401 is amended to read:
242          13-45-401. Enforcement -- Confidentiality agreement -- Penalties.
243          (1) The attorney general may enforce the provisions of this chapter.
244          (2) A person who violates a provision of this chapter is subject to a civil fine of:
245          (a) no greater than $2,500 for a violation or series of violations concerning a specific
246     consumer; and
247          (b) no greater than $100,000 in the aggregate for related violations concerning more
248     than one consumer[.], unless:
249          (i) the violations concern:
250          (A) 10,000 or more consumers who are residents of the state; and
251          (B) 10,000 or more consumers who are residents of other states; or
252          (ii) the person agrees to settle for a greater amount.
253          (3) (a) In addition to the penalties provided in Subsection (2), the attorney general may

254     seek, in an action brought under this chapter:
255          (i) injunctive relief to prevent future violations of this chapter; and
256          (ii) attorney fees and costs.
257          (b) The attorney general shall bring an action under this chapter in:
258          (i) the district court located in Salt Lake City; or
259          (ii) the district court for the district in which resides a consumer who is the subject of a
260     credit report on which a violation occurs.
261          (4) The attorney general shall deposit any amount received under Subsection (2) or (3)
262     into the Attorney General Litigation Fund created in Section 76-10-3114.
263          (5) (a) If the attorney general has reasonable cause to believe that an individual is in
264     possession, custody, or control of information that is relevant to enforcing this chapter, the
265     attorney general may enter into a confidentiality agreement with the individual.
266          (b) In a civil action brought under this chapter, a court may issue a confidentiality order
267     that incorporates the confidentiality agreement described in Subsection (5)(a).
268          (c) A confidentiality agreement entered into under Subsection (5)(a) or a
269     confidentiality order issued under Subsection (5)(b) may:
270          (i) address a procedure;
271          (ii) address testimony taken, a document produced, or material produced under this
272     section;
273          (iii) provide whom may access testimony taken, a document produced, or material
274     produced under this section;
275          (iv) provide for safeguarding testimony taken, a document produced, or material
276     produced under this section; or
277          (v) require that the attorney general:
278          (A) return a document or material to an individual; or
279          (B) notwithstanding Section 63A-12-105 or a retention schedule created in accordance
280     with Section 63G-2-604, destroy the document or material at a designated time.
281          (6) (a) Subject to Subsection (6)(c), the attorney general shall keep confidential a

282     procedure agreed to, testimony taken, a document produced, or material produced under this
283     section pursuant to a subpoena, confidentiality agreement, or confidentiality order, unless the
284     individual who agreed to the procedure, provided testimony, or produced the document or
285     material waives confidentiality in writing.
286          (b) Subject to Subsections (6)(c) and (6)(d), the attorney general may use, in an
287     enforcement action taken under this section, testimony taken, a document produced, or material
288     produced under this section to the extent the use is not restricted or prohibited by a
289     confidentiality agreement or a confidentiality order.
290          (c) The attorney general may use, in an enforcement action taken under this section,
291     testimony taken, a document produced, or material produced under this section that is restricted
292     or prohibited from use by a confidentiality agreement or a confidentiality order if the individual
293     who provided testimony, produced the document, or produced the material waives the
294     restriction or prohibition in writing.
295          (d) The attorney general may disclose testimony taken, a document produced, or
296     material produced under this section, without consent of the individual who provided the
297     testimony, produced the document, or produced the material, or without the consent of an
298     individual being investigated, to:
299          (i) a grand jury; or
300          (ii) a federal or state law enforcement officer, if the person from whom the information
301     was obtained is notified 20 days or greater before the day on which the information is
302     disclosed, and the federal or state law enforcement officer certifies that the federal or state law
303     enforcement officer will:
304          (A) maintain the confidentiality of the testimony, document, or material; and
305          (B) use the testimony, document, or material solely for an official law enforcement
306     purpose.
307          (7) A civil action filed under this chapter shall be commenced no later than five years
308     after the day on which the alleged violation last occurred.
309          Section 7. Section 76-10-3108 is amended to read:

310          76-10-3108. Attorney general may bring action for injunctive relief, damages,
311     and civil penalty.
312          (1) The attorney general may bring an action for appropriate injunctive relief, [and for
313     damages or] a civil penalty, and damages in the name of the state, any of its political
314     subdivisions or agencies, or as parens patriae on behalf of natural persons in this state, for a
315     violation of this act. Actions may be brought under this section regardless of whether the
316     plaintiff dealt directly or indirectly with the defendant. This remedy is an additional remedy to
317     any other remedies provided by law. It may not diminish or offset any other remedy.
318          (2) Any individual who violates this act is subject to a civil penalty of not more than
319     $100,000 for each violation. Any person, other than an individual, who violates this act is
320     subject to a civil penalty of not more than $500,000 for each violation.
321          Section 8. Section 76-10-3109 is amended to read:
322          76-10-3109. Person may bring action for injunctive relief and damages -- Treble
323     damages -- Recovery of actual damages or civil penalty by state or political subdivisions
324     -- Immunity of political subdivisions from damages, costs, or attorney fees.
325          (1) (a) A person who is a citizen of this state or a resident of this state and who is
326     injured or is threatened with injury in his business or property by a violation of the Utah
327     Antitrust Act may bring an action for injunctive relief and damages, regardless of whether the
328     person dealt directly or indirectly with the defendant. This remedy is in addition to any other
329     remedies provided by law. It may not diminish or offset any other remedy.
330          (b) Subject to the provisions of Subsections (3), (4), and (5), the court shall award three
331     times the amount of damages sustained, plus the cost of suit and a reasonable attorney fees, in
332     addition to granting any appropriate temporary, preliminary, or permanent injunctive relief.
333          (2) (a) If the court determines that a judgment in the amount of three times the damages
334     awarded plus attorney fees and costs will directly cause the insolvency of the defendant, the
335     court shall reduce the amount of judgment to the highest sum that would not cause the
336     defendant's insolvency.
337          (b) The court may not reduce a judgment to an amount less than the amount of

338     damages sustained plus the costs of suit and reasonable attorney fees.
339          (3) The state or any of its political subdivisions may recover [the actual] three times the
340     amount of damages it sustains[, or] and the civil penalty provided by the Utah Antitrust Act, in
341     addition to injunctive relief, costs of suit, and reasonable attorney fees.
342          (4) No damages, costs, or attorney fees may be recovered under this section:
343          (a) from any political subdivision;
344          (b) from the official or employee of any political subdivision acting in an official
345     capacity; or
346          (c) against any person based on any official action directed by a political subdivision or
347     its official or employee acting in an official capacity.
348          (5) Subsection (4) does not apply to cases filed before April 27, 1987, unless the
349     defendant establishes and the court determines that in light of all the circumstances, including
350     the posture of litigation and the availability of alternative relief, it would be inequitable not to
351     apply Subsection (4) to a pending case.
352          (6) When a defendant has been sued in one or more actions by both direct and indirect
353     purchasers, whether in state court or federal court, a defendant shall be entitled to prove as a
354     partial or complete defense to a claim for damages that the damages incurred by the plaintiff or
355     plaintiffs have been passed on to others who are entitled to recover so as to avoid duplication
356     of recovery of damages. In an action by indirect purchasers, any damages or settlement
357     amounts paid to direct purchasers for the same alleged antitrust violations shall constitute a
358     defense in the amount paid on a claim by indirect purchasers under this chapter so as to avoid
359     duplication of recovery of damages.
360          (7) It shall be presumed, in the absence of proof to the contrary, that the injured
361     persons who dealt directly with the defendant incurred at least 1/3 of the damages, and shall,
362     therefore, recover at least 1/3 of the awarded damages. It shall also be presumed, in the
363     absence of proof to the contrary, that the injured persons who dealt indirectly with the
364     defendant incurred at least 1/3 of the damages, and shall, therefore, recover at least 1/3 of the
365     awarded damages. The final 1/3 of the damages shall be awarded by the court to those injured

366     persons determined by the court as most likely to have absorbed the damages.
367          (8) There is a presumption, in the absence of proof to the contrary and subject to
368     Subsection (7), that each level in a product's or service's distribution chain passed on any and
369     all increments in its cost due to an increase in the cost of an ingredient or a component product
370     or service that was caused by a violation of this chapter. This amount will be presumed, in the
371     absence of evidence to the contrary, to be equal to the change in the cost, in dollars and cents,
372     of the ingredient, component product, or service to its first purchaser.
373          (9) The attorney general shall be notified by the plaintiff about the filing of any class
374     action involving antitrust violations that includes plaintiffs from this state. The attorney
375     general shall receive a copy of each filing from each plaintiff. The attorney general may, in his
376     or her discretion, intervene or file amicus briefs in the case, and may be heard on the question
377     of the fairness or appropriateness of any proposed settlement agreement.
378          (10) If, in a class action or parens patriae action filed under this chapter, including the
379     settlement of any action, it is not feasible to return any part of the recovery to the injured
380     plaintiffs, the court shall order the residual funds be applied to benefit the specific class of
381     injured plaintiffs, to improve antitrust enforcement generally by depositing the residual funds
382     into the Attorney General Litigation Fund created by Section 76-10-3114, or both.
383          (11) In any action brought under this chapter, the court shall approve all attorney fees
384     and arrangements for the payment of attorney fees, including contingency fee agreements.
385          Section 9. Section 76-10-3114 is amended to read:
386          76-10-3114. Attorney General Litigation Fund.
387          (1) (a) There is created an expendable special revenue fund known as the Attorney
388     General Litigation Fund for the purpose of providing funds to pay for:
389          (i) any costs and expenses incurred by the state attorney general in relation to actions
390     under state or federal antitrust, criminal laws, or civil proceedings under Title 13, Chapter 44,
391     Protection of Personal Information Act[.]; and
392          (ii) citizen education and outreach related to any item described in Subsection (1)(a)(i).
393          (b) [These] The funds described in Subsection (1)(a) are in addition to other funds as

394     may be appropriated by the Legislature to the attorney general for the administration and
395     enforcement of the laws of this state.
396          [(b)] (c) At the close of any fiscal year, any balance in the fund in excess of
397     [$2,000,000] $4,000,000 shall be transferred to the General Fund.
398          [(c)] (d) The attorney general may expend money from the Attorney General Litigation
399     Fund for the purposes in Subsection (1)(a).
400          (2) (a) All money received by the state or its agencies by reason of any judgment,
401     settlement, or compromise as the result of any action commenced, investigated, or prosecuted
402     by the attorney general, after payment of any fines, restitution, payments, costs, or fees
403     allocated by the court, shall be deposited in the Attorney General Litigation Fund, except as
404     provided in Subsection (2)(b).
405          (b) (i) Any expenses advanced by the attorney general in any of the actions under
406     Subsection (1)(a) shall be credited to the Attorney General Litigation Fund.
407          (ii) Any money recovered by the attorney general on behalf of any private person or
408     public body other than the state shall be paid to those persons or bodies from funds remaining
409     after payment of expenses under Subsection (2)(b)(i).
410          [(3) The Division of Finance shall transfer any money remaining in the Antitrust
411     Revolving Account on July 1, 2002, to the Attorney General Litigation Fund created in
412     Subsection (1).]