1
2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill amends provisions enforced by the attorney general.
10 Highlighted Provisions:
11 This bill:
12 ▸ modifies the applicability of the Protection of Personal Information Act;
13 ▸ amends the penalty for a violation of the Protection of Personal Information Act or
14 the Consumer Credit Protection Act;
15 ▸ establishes a statute of limitations for an enforcement action under the Protection of
16 Personal Information Act or the Consumer Credit Protection Act;
17 ▸ allows funds in the Attorney General Litigation Fund to be used for education and
18 outreach on certain matters;
19 ▸ modifies the available remedies in an action under the Utah Antitrust Act; and
20 ▸ makes technical and conforming changes.
21 Money Appropriated in this Bill:
22 None
23 Other Special Clauses:
24 None
25 Utah Code Sections Affected:
26 AMENDS:
27 13-44-102, as enacted by Laws of Utah 2006, Chapter 343
28 13-44-201, as enacted by Laws of Utah 2006, Chapter 343
29 13-44-202, as last amended by Laws of Utah 2009, Chapter 388
30 13-44-301, as last amended by Laws of Utah 2017, Chapter 308
31 13-45-401, as last amended by Laws of Utah 2017, Chapter 308
32 76-10-3108, as renumbered and amended by Laws of Utah 2013, Chapter 187
33 76-10-3109, as last amended by Laws of Utah 2013, Chapter 278 and renumbered and
34 amended by Laws of Utah 2013, Chapter 187
35 76-10-3114, as last amended by Laws of Utah 2013, Chapter 400 and renumbered and
36 amended by Laws of Utah 2013, Chapter 187
37 ENACTS:
38 13-44-103, Utah Code Annotated 1953
39
40 Be it enacted by the Legislature of the state of Utah:
41 Section 1. Section 13-44-102 is amended to read:
42 13-44-102. Definitions.
43 As used in this chapter:
44 (1) (a) "Breach of system security" means an unauthorized acquisition of computerized
45 data maintained by a person that compromises the security, confidentiality, or integrity of
46 personal information.
47 (b) "Breach of system security" does not include the acquisition of personal
48 information by an employee or agent of the person possessing unencrypted computerized data
49 unless the personal information is used for an unlawful purpose or disclosed in an unauthorized
50 manner.
51 (2) "Consumer" means a natural person.
52 (3) "Financial institution" means the same as that term is defined in 15 U.S.C. Sec.
53 6809.
54 [
55 name, combined with any one or more of the following data elements relating to that person
56 when either the name or date element is unencrypted or not protected by another method that
57 renders the data unreadable or unusable:
58 (i) Social Security number;
59 (ii) (A) financial account number, or credit or debit card number; and
60 (B) any required security code, access code, or password that would permit access to
61 the person's account; or
62 (iii) driver license number or state identification card number.
63 (b) "Personal information" does not include information regardless of its source,
64 contained in federal, state, or local government records or in widely distributed media that are
65 lawfully made available to the general public.
66 [
67 electronic.
68 Section 2. Section 13-44-103 is enacted to read:
69 13-44-103. Applicability.
70 This chapter does not apply to a financial institution or an affiliate, as defined in 15
71 U.S.C. Sec. 6809, of a financial institution.
72 Section 3. Section 13-44-201 is amended to read:
73 13-44-201. Protection of personal information.
74 (1) Any person who conducts business in the state and maintains personal information
75 shall implement and maintain reasonable procedures to:
76 (a) prevent unlawful use or disclosure of personal information collected or maintained
77 in the regular course of business; and
78 (b) destroy, or arrange for the destruction of, records containing personal information
79 that are not to be retained by the person.
80 (2) The destruction of records under Subsection (1)(b) shall be by:
81 (a) shredding;
82 (b) erasing; or
83 (c) otherwise modifying the personal information to make the information
84 indecipherable.
85 [
86
87 Section 4. Section 13-44-202 is amended to read:
88 13-44-202. Personal information -- Disclosure of system security breach.
89 (1) (a) A person who owns or licenses computerized data that includes personal
90 information concerning a Utah resident shall, when the person becomes aware of a breach of
91 system security, conduct in good faith a reasonable and prompt investigation to determine the
92 likelihood that personal information has been or will be misused for identity theft or fraud
93 purposes.
94 (b) If an investigation under Subsection (1)(a) reveals that the misuse of personal
95 information for identity theft or fraud purposes has occurred, or is reasonably likely to occur,
96 the person shall provide notification to each affected Utah resident.
97 (2) A person required to provide notification under Subsection (1) shall provide the
98 notification in the most expedient time possible without unreasonable delay:
99 (a) considering legitimate investigative needs of law enforcement, as provided in
100 Subsection (4)(a);
101 (b) after determining the scope of the breach of system security; and
102 (c) after restoring the reasonable integrity of the system.
103 (3) (a) A person who maintains computerized data that includes personal information
104 that the person does not own or license shall notify and cooperate with the owner or licensee of
105 the information of any breach of system security immediately following the person's discovery
106 of the breach if misuse of the personal information occurs or is reasonably likely to occur.
107 (b) Cooperation under Subsection (3)(a) includes sharing information relevant to the
108 breach with the owner or licensee of the information.
109 (4) (a) Notwithstanding Subsection (2), a person may delay providing notification
110 under Subsection (1) at the request of a law enforcement agency that determines that
111 notification may impede a criminal investigation.
112 (b) A person who delays providing notification under Subsection (4)(a) shall provide
113 notification in good faith without unreasonable delay in the most expedient time possible after
114 the law enforcement agency informs the person that notification will no longer impede the
115 criminal investigation.
116 (5) (a) A notification required by this section may be provided:
117 (i) in writing by first-class mail to the most recent address the person has for the
118 resident;
119 (ii) electronically, if the person's primary method of communication with the resident is
120 by electronic means, or if provided in accordance with the consumer disclosure provisions of
121 15 U.S.C. Section 7001;
122 (iii) by telephone, including through the use of automatic dialing technology not
123 prohibited by other law; or
124 (iv) for residents of the state for whom notification in a manner described in
125 Subsections (5)(a)(i) through (iii) is not feasible, by publishing notice of the breach of system
126 security:
127 (A) in a newspaper of general circulation; and
128 (B) as required in Section 45-1-101.
129 (b) If a person maintains the person's own notification procedures as part of an
130 information security policy for the treatment of personal information the person is considered
131 to be in compliance with this chapter's notification requirements if the procedures are otherwise
132 consistent with this chapter's timing requirements and the person notifies each affected Utah
133 resident in accordance with the person's information security policy in the event of a breach.
134 (c) A person who is regulated by state or federal law and maintains procedures for a
135 breach of system security under applicable law established by the primary state or federal
136 regulator is considered to be in compliance with this part if the person notifies each affected
137 Utah resident in accordance with the other applicable law in the event of a breach.
138 (6) A waiver of this section is contrary to public policy and is void and unenforceable.
139 Section 5. Section 13-44-301 is amended to read:
140 13-44-301. Enforcement -- Confidentiality agreement -- Penalties.
141 (1) The attorney general may enforce this chapter's provisions.
142 (2) (a) Nothing in this chapter creates a private right of action.
143 (b) Nothing in this chapter affects any private right of action existing under other law,
144 including contract or tort.
145 (3) A person who violates this chapter's provisions is subject to a civil penalty of:
146 (a) no greater than $2,500 for a violation or series of violations concerning a specific
147 consumer; and
148 (b) no greater than $100,000 in the aggregate for related violations concerning more
149 than one consumer[
150 (i) the violations concern:
151 (A) 10,000 or more consumers who are residents of the state; and
152 (B) 10,000 or more consumers who are residents of other states; or
153 (ii) the person agrees to settle for a greater amount.
154 (4) (a) In addition to the penalties provided in Subsection (3), the attorney general may
155 seek, in an action brought under this chapter:
156 (i) injunctive relief to prevent future violations of this chapter; and
157 (ii) attorney fees and costs.
158 (b) The attorney general shall bring an action under this chapter in:
159 (i) the district court located in Salt Lake City; or
160 (ii) the district court for the district in which resides a consumer who is affected by the
161 violation.
162 (5) The attorney general shall deposit any amount received under Subsection (3), (4),
163 or (10) into the Attorney General Litigation Fund created in Section 76-10-3114.
164 (6) In enforcing this chapter, the attorney general may:
165 (a) investigate the actions of any person alleged to violate Section 13-44-201 or
166 13-44-202;
167 (b) subpoena a witness;
168 (c) subpoena a document or other evidence;
169 (d) require the production of books, papers, contracts, records, or other information
170 relevant to an investigation;
171 (e) conduct an adjudication in accordance with Title 63G, Chapter 4, Administrative
172 Procedures Act, to enforce a civil provision under this chapter; and
173 (f) enter into a confidentiality agreement in accordance with Subsection (7).
174 (7) (a) If the attorney general has reasonable cause to believe that an individual is in
175 possession, custody, or control of information that is relevant to enforcing this chapter, the
176 attorney general may enter into a confidentiality agreement with the individual.
177 (b) In a civil action brought under this chapter, a court may issue a confidentiality order
178 that incorporates the confidentiality agreement described in Subsection (7)(a).
179 (c) A confidentiality agreement entered into under Subsection (7)(a) or a
180 confidentiality order issued under Subsection (7)(b) may:
181 (i) address a procedure;
182 (ii) address testimony taken, a document produced, or material produced under this
183 section;
184 (iii) provide whom may access testimony taken, a document produced, or material
185 produced under this section;
186 (iv) provide for safeguarding testimony taken, a document produced, or material
187 produced under this section; or
188 (v) require that the attorney general:
189 (A) return a document or material to an individual; or
190 (B) notwithstanding Section 63A-12-105 or a retention schedule created in accordance
191 with Section 63G-2-604, destroy the document or material at a designated time.
192 (8) A subpoena issued under Subsection (6) may be served by certified mail.
193 (9) A person's failure to respond to a request or subpoena from the attorney general
194 under Subsection (6)(b), (c), or (d) is a violation of this chapter.
195 (10) (a) The attorney general may inspect and copy all records related to the business
196 conducted by the person alleged to have violated this chapter, including records located outside
197 the state.
198 (b) For records located outside of the state, the person who is found to have violated
199 this chapter shall pay the attorney general's expenses to inspect the records, including travel
200 costs.
201 (c) Upon notification from the attorney general of the attorney general's intent to
202 inspect records located outside of the state, the person who is found to have violated this
203 chapter shall pay the attorney general $500, or a higher amount if $500 is estimated to be
204 insufficient, to cover the attorney general's expenses to inspect the records.
205 (d) To the extent an amount paid to the attorney general by a person who is found to
206 have violated this chapter is not expended by the attorney general, the amount shall be refunded
207 to the person who is found to have violated this chapter.
208 (e) The Division of Corporations and Commercial Code or any other relevant entity
209 shall revoke any authorization to do business in this state of a person who fails to pay any
210 amount required under this Subsection (10).
211 (11) (a) Subject to Subsection (11)(c), the attorney general shall keep confidential a
212 procedure agreed to, testimony taken, a document produced, or material produced under this
213 section pursuant to a subpoena, confidentiality agreement, or confidentiality order, unless the
214 individual who agreed to the procedure, provided testimony, produced the document, or
215 produced material waives confidentiality in writing.
216 (b) Subject to Subsections (11)(c) and (11)(d), the attorney general may use, in an
217 enforcement action taken under this section, testimony taken, a document produced, or material
218 produced under this section to the extent the use is not restricted or prohibited by a
219 confidentiality agreement or a confidentiality order.
220 (c) The attorney general may use, in an enforcement action taken under this section,
221 testimony taken, a document produced, or material produced under this section that is restricted
222 or prohibited from use by a confidentiality agreement or a confidentiality order if the individual
223 who provided testimony or produced the document or material waives the restriction or
224 prohibition in writing.
225 (d) The attorney general may disclose testimony taken, a document produced, or
226 material produced under this section, without consent of the individual who provided the
227 testimony or produced the document or material, or the consent of an individual being
228 investigated, to:
229 (i) a grand jury; or
230 (ii) a federal or state law enforcement officer, if the person from whom the information
231 was obtained is notified 20 days or greater before the day on which the information is
232 disclosed, and the federal or state law enforcement officer certifies that the federal or state law
233 enforcement officer will:
234 (A) maintain the confidentiality of the testimony, document, or material; and
235 (B) use the testimony, document, or material solely for an official law enforcement
236 purpose.
237 (12) (a) An administrative action filed under this chapter shall be commenced no later
238 than 10 years after the day on which the alleged breach of system security last occurred.
239 (b) A civil action under this chapter shall be commenced no later than five years after
240 the day on which the alleged breach of system security last occurred.
241 Section 6. Section 13-45-401 is amended to read:
242 13-45-401. Enforcement -- Confidentiality agreement -- Penalties.
243 (1) The attorney general may enforce the provisions of this chapter.
244 (2) A person who violates a provision of this chapter is subject to a civil fine of:
245 (a) no greater than $2,500 for a violation or series of violations concerning a specific
246 consumer; and
247 (b) no greater than $100,000 in the aggregate for related violations concerning more
248 than one consumer[
249 (i) the violations concern:
250 (A) 10,000 or more consumers who are residents of the state; and
251 (B) 10,000 or more consumers who are residents of other states; or
252 (ii) the person agrees to settle for a greater amount.
253 (3) (a) In addition to the penalties provided in Subsection (2), the attorney general may
254 seek, in an action brought under this chapter:
255 (i) injunctive relief to prevent future violations of this chapter; and
256 (ii) attorney fees and costs.
257 (b) The attorney general shall bring an action under this chapter in:
258 (i) the district court located in Salt Lake City; or
259 (ii) the district court for the district in which resides a consumer who is the subject of a
260 credit report on which a violation occurs.
261 (4) The attorney general shall deposit any amount received under Subsection (2) or (3)
262 into the Attorney General Litigation Fund created in Section 76-10-3114.
263 (5) (a) If the attorney general has reasonable cause to believe that an individual is in
264 possession, custody, or control of information that is relevant to enforcing this chapter, the
265 attorney general may enter into a confidentiality agreement with the individual.
266 (b) In a civil action brought under this chapter, a court may issue a confidentiality order
267 that incorporates the confidentiality agreement described in Subsection (5)(a).
268 (c) A confidentiality agreement entered into under Subsection (5)(a) or a
269 confidentiality order issued under Subsection (5)(b) may:
270 (i) address a procedure;
271 (ii) address testimony taken, a document produced, or material produced under this
272 section;
273 (iii) provide whom may access testimony taken, a document produced, or material
274 produced under this section;
275 (iv) provide for safeguarding testimony taken, a document produced, or material
276 produced under this section; or
277 (v) require that the attorney general:
278 (A) return a document or material to an individual; or
279 (B) notwithstanding Section 63A-12-105 or a retention schedule created in accordance
280 with Section 63G-2-604, destroy the document or material at a designated time.
281 (6) (a) Subject to Subsection (6)(c), the attorney general shall keep confidential a
282 procedure agreed to, testimony taken, a document produced, or material produced under this
283 section pursuant to a subpoena, confidentiality agreement, or confidentiality order, unless the
284 individual who agreed to the procedure, provided testimony, or produced the document or
285 material waives confidentiality in writing.
286 (b) Subject to Subsections (6)(c) and (6)(d), the attorney general may use, in an
287 enforcement action taken under this section, testimony taken, a document produced, or material
288 produced under this section to the extent the use is not restricted or prohibited by a
289 confidentiality agreement or a confidentiality order.
290 (c) The attorney general may use, in an enforcement action taken under this section,
291 testimony taken, a document produced, or material produced under this section that is restricted
292 or prohibited from use by a confidentiality agreement or a confidentiality order if the individual
293 who provided testimony, produced the document, or produced the material waives the
294 restriction or prohibition in writing.
295 (d) The attorney general may disclose testimony taken, a document produced, or
296 material produced under this section, without consent of the individual who provided the
297 testimony, produced the document, or produced the material, or without the consent of an
298 individual being investigated, to:
299 (i) a grand jury; or
300 (ii) a federal or state law enforcement officer, if the person from whom the information
301 was obtained is notified 20 days or greater before the day on which the information is
302 disclosed, and the federal or state law enforcement officer certifies that the federal or state law
303 enforcement officer will:
304 (A) maintain the confidentiality of the testimony, document, or material; and
305 (B) use the testimony, document, or material solely for an official law enforcement
306 purpose.
307 (7) A civil action filed under this chapter shall be commenced no later than five years
308 after the day on which the alleged violation last occurred.
309 Section 7. Section 76-10-3108 is amended to read:
310 76-10-3108. Attorney general may bring action for injunctive relief, damages,
311 and civil penalty.
312 (1) The attorney general may bring an action for appropriate injunctive relief, [
313
314 subdivisions or agencies, or as parens patriae on behalf of natural persons in this state, for a
315 violation of this act. Actions may be brought under this section regardless of whether the
316 plaintiff dealt directly or indirectly with the defendant. This remedy is an additional remedy to
317 any other remedies provided by law. It may not diminish or offset any other remedy.
318 (2) Any individual who violates this act is subject to a civil penalty of not more than
319 $100,000 for each violation. Any person, other than an individual, who violates this act is
320 subject to a civil penalty of not more than $500,000 for each violation.
321 Section 8. Section 76-10-3109 is amended to read:
322 76-10-3109. Person may bring action for injunctive relief and damages -- Treble
323 damages -- Recovery of actual damages or civil penalty by state or political subdivisions
324 -- Immunity of political subdivisions from damages, costs, or attorney fees.
325 (1) (a) A person who is a citizen of this state or a resident of this state and who is
326 injured or is threatened with injury in his business or property by a violation of the Utah
327 Antitrust Act may bring an action for injunctive relief and damages, regardless of whether the
328 person dealt directly or indirectly with the defendant. This remedy is in addition to any other
329 remedies provided by law. It may not diminish or offset any other remedy.
330 (b) Subject to the provisions of Subsections (3), (4), and (5), the court shall award three
331 times the amount of damages sustained, plus the cost of suit and a reasonable attorney fees, in
332 addition to granting any appropriate temporary, preliminary, or permanent injunctive relief.
333 (2) (a) If the court determines that a judgment in the amount of three times the damages
334 awarded plus attorney fees and costs will directly cause the insolvency of the defendant, the
335 court shall reduce the amount of judgment to the highest sum that would not cause the
336 defendant's insolvency.
337 (b) The court may not reduce a judgment to an amount less than the amount of
338 damages sustained plus the costs of suit and reasonable attorney fees.
339 (3) The state or any of its political subdivisions may recover [
340 amount of damages it sustains[
341 addition to injunctive relief, costs of suit, and reasonable attorney fees.
342 (4) No damages, costs, or attorney fees may be recovered under this section:
343 (a) from any political subdivision;
344 (b) from the official or employee of any political subdivision acting in an official
345 capacity; or
346 (c) against any person based on any official action directed by a political subdivision or
347 its official or employee acting in an official capacity.
348 (5) Subsection (4) does not apply to cases filed before April 27, 1987, unless the
349 defendant establishes and the court determines that in light of all the circumstances, including
350 the posture of litigation and the availability of alternative relief, it would be inequitable not to
351 apply Subsection (4) to a pending case.
352 (6) When a defendant has been sued in one or more actions by both direct and indirect
353 purchasers, whether in state court or federal court, a defendant shall be entitled to prove as a
354 partial or complete defense to a claim for damages that the damages incurred by the plaintiff or
355 plaintiffs have been passed on to others who are entitled to recover so as to avoid duplication
356 of recovery of damages. In an action by indirect purchasers, any damages or settlement
357 amounts paid to direct purchasers for the same alleged antitrust violations shall constitute a
358 defense in the amount paid on a claim by indirect purchasers under this chapter so as to avoid
359 duplication of recovery of damages.
360 (7) It shall be presumed, in the absence of proof to the contrary, that the injured
361 persons who dealt directly with the defendant incurred at least 1/3 of the damages, and shall,
362 therefore, recover at least 1/3 of the awarded damages. It shall also be presumed, in the
363 absence of proof to the contrary, that the injured persons who dealt indirectly with the
364 defendant incurred at least 1/3 of the damages, and shall, therefore, recover at least 1/3 of the
365 awarded damages. The final 1/3 of the damages shall be awarded by the court to those injured
366 persons determined by the court as most likely to have absorbed the damages.
367 (8) There is a presumption, in the absence of proof to the contrary and subject to
368 Subsection (7), that each level in a product's or service's distribution chain passed on any and
369 all increments in its cost due to an increase in the cost of an ingredient or a component product
370 or service that was caused by a violation of this chapter. This amount will be presumed, in the
371 absence of evidence to the contrary, to be equal to the change in the cost, in dollars and cents,
372 of the ingredient, component product, or service to its first purchaser.
373 (9) The attorney general shall be notified by the plaintiff about the filing of any class
374 action involving antitrust violations that includes plaintiffs from this state. The attorney
375 general shall receive a copy of each filing from each plaintiff. The attorney general may, in his
376 or her discretion, intervene or file amicus briefs in the case, and may be heard on the question
377 of the fairness or appropriateness of any proposed settlement agreement.
378 (10) If, in a class action or parens patriae action filed under this chapter, including the
379 settlement of any action, it is not feasible to return any part of the recovery to the injured
380 plaintiffs, the court shall order the residual funds be applied to benefit the specific class of
381 injured plaintiffs, to improve antitrust enforcement generally by depositing the residual funds
382 into the Attorney General Litigation Fund created by Section 76-10-3114, or both.
383 (11) In any action brought under this chapter, the court shall approve all attorney fees
384 and arrangements for the payment of attorney fees, including contingency fee agreements.
385 Section 9. Section 76-10-3114 is amended to read:
386 76-10-3114. Attorney General Litigation Fund.
387 (1) (a) There is created an expendable special revenue fund known as the Attorney
388 General Litigation Fund for the purpose of providing funds to pay for:
389 (i) any costs and expenses incurred by the state attorney general in relation to actions
390 under state or federal antitrust, criminal laws, or civil proceedings under Title 13, Chapter 44,
391 Protection of Personal Information Act[
392 (ii) citizen education and outreach related to any item described in Subsection (1)(a)(i).
393 (b) [
394 may be appropriated by the Legislature to the attorney general for the administration and
395 enforcement of the laws of this state.
396 [
397 [
398 [
399 Fund for the purposes in Subsection (1)(a).
400 (2) (a) All money received by the state or its agencies by reason of any judgment,
401 settlement, or compromise as the result of any action commenced, investigated, or prosecuted
402 by the attorney general, after payment of any fines, restitution, payments, costs, or fees
403 allocated by the court, shall be deposited in the Attorney General Litigation Fund, except as
404 provided in Subsection (2)(b).
405 (b) (i) Any expenses advanced by the attorney general in any of the actions under
406 Subsection (1)(a) shall be credited to the Attorney General Litigation Fund.
407 (ii) Any money recovered by the attorney general on behalf of any private person or
408 public body other than the state shall be paid to those persons or bodies from funds remaining
409 after payment of expenses under Subsection (2)(b)(i).
410 [
411
412