2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill amends provisions related to the protection of personal information.
10 Highlighted Provisions:
11 This bill:
12 ▸ defines terms;
13 ▸ clarifies the applicability of existing provisions of the Protection of Personal
14 Information Act to agencies;
15 ▸ subjects agencies to certain personal information protection requirements; and
16 ▸ authorizes the attorney general to use an injunction to enforce provisions related to
17 agencies.
18 Money Appropriated in this Bill:
19 None
20 Other Special Clauses:
21 None
22 Utah Code Sections Affected:
23 AMENDS:
24 13-44-102, as last amended by Laws of Utah 2019, Chapter 348
25 13-44-201, as last amended by Laws of Utah 2019, Chapter 348
26 13-44-202, as last amended by Laws of Utah 2019, Chapter 348
27 13-44-301, as last amended by Laws of Utah 2019, Chapter 348
28 ENACTS:
29 13-44-401, Utah Code Annotated 1953
30 13-44-402, Utah Code Annotated 1953
31 13-44-403, Utah Code Annotated 1953
32
33 Be it enacted by the Legislature of the state of Utah:
34 Section 1. Section 13-44-102 is amended to read:
35 13-44-102. Definitions.
36 As used in this chapter:
37 (1) "Agency" means each department, commission, board, council, agency, institution,
38 corporation, fund, division, office, committee, authority, laboratory, library, unit, bureau, panel,
39 or other administrative unit of the state.
40 (2) "Biometric data" means unique data generated from measurements or analysis of
41 human body characteristics for the purpose of authenticating an individual when the individual
42 accesses an online account.
43 [
44 computerized data maintained by a person that compromises the security, confidentiality, or
45 integrity of personal information.
46 (b) "Breach of system security" does not include the acquisition of personal
47 information by an employee or agent of the person possessing unencrypted computerized data
48 unless the personal information is used for an unlawful purpose or disclosed in an unauthorized
49 manner.
50 [
51 [
52 Sec. 6809.
53 [
54 name, combined with any one or more of the following data elements relating to that person
55 when either the name or date element is unencrypted or not protected by another method that
56 renders the data unreadable or unusable:
57 (i) Social Security number;
58 (ii) (A) financial account number, or credit or debit card number; and
59 (B) any required security code, access code, or password that would permit access to
60 the person's account; [
61 (iii) driver license number or state identification card number[
62 (iv) an identification number including:
63 (A) student;
64 (B) health insurance;
65 (C) military; and
66 (D) passport; or
67 (v) biometric data.
68 (b) "Personal information" includes a Utah consumer's username or email address, in
69 combination with a password or security questions and answers, that would permit access to an
70 online account.
71 [
72 contained in federal, state, or local government records or in widely distributed media that are
73 lawfully made available to the general public.
74 [
75 electronic.
76 Section 2. Section 13-44-201 is amended to read:
77 13-44-201. Protection of personal information.
78 (1) Any person who is not an agency who conducts business in the state and maintains
79 personal information shall implement and maintain reasonable procedures to:
80 (a) prevent unlawful use or disclosure of personal information collected or maintained
81 in the regular course of business; and
82 (b) destroy, or arrange for the destruction of, records containing personal information
83 that are not to be retained by the person.
84 (2) The destruction of records under Subsection (1)(b) shall be by:
85 (a) shredding;
86 (b) erasing; or
87 (c) otherwise modifying the personal information to make the information
88 indecipherable.
89 Section 3. Section 13-44-202 is amended to read:
90 13-44-202. Personal information -- Disclosure of system security breach.
91 (1) (a) A person who owns or licenses computerized data that includes personal
92 information concerning a Utah resident shall, when the person becomes aware of a breach of
93 system security, conduct in good faith a reasonable and prompt investigation to determine the
94 likelihood that personal information has been or will be misused for identity theft or fraud
95 purposes.
96 (b) If an investigation under Subsection (1)(a) reveals that the misuse of personal
97 information for identity theft or fraud purposes has occurred, or is reasonably likely to occur,
98 the person shall provide notification to each affected Utah resident.
99 (2) A person required to provide notification under Subsection (1) shall provide the
100 notification in the most expedient time possible without unreasonable delay:
101 (a) considering legitimate investigative needs of law enforcement, as provided in
102 Subsection (4)(a);
103 (b) after determining the scope of the breach of system security; and
104 (c) after restoring the reasonable integrity of the system.
105 (3) (a) A person who maintains computerized data that includes personal information
106 that the person does not own or license shall notify and cooperate with the owner or licensee of
107 the information of any breach of system security immediately following the person's discovery
108 of the breach if misuse of the personal information occurs or is reasonably likely to occur.
109 (b) Cooperation under Subsection (3)(a) includes sharing information relevant to the
110 breach with the owner or licensee of the information.
111 (4) (a) Notwithstanding Subsection (2), a person may delay providing notification
112 under Subsection (1) at the request of a law enforcement agency that determines that
113 notification may impede a criminal investigation.
114 (b) A person who delays providing notification under Subsection (4)(a) shall provide
115 notification in good faith without unreasonable delay in the most expedient time possible after
116 the law enforcement agency informs the person that notification will no longer impede the
117 criminal investigation.
118 (5) (a) A notification required by this section may be provided:
119 (i) in writing by first-class mail to the most recent address the person has for the
120 resident;
121 (ii) electronically, if the person's primary method of communication with the resident is
122 by electronic means, or if provided in accordance with the consumer disclosure provisions of
123 15 U.S.C. Section 7001;
124 (iii) by telephone, including through the use of automatic dialing technology not
125 prohibited by other law; or
126 (iv) for residents of the state for whom notification in a manner described in
127 Subsections (5)(a)(i) through (iii) is not feasible, by publishing notice of the breach of system
128 security:
129 (A) in a newspaper of general circulation; and
130 (B) as required in Section 45-1-101.
131 (b) If a person maintains the person's own notification procedures as part of an
132 information security policy for the treatment of personal information the person is considered
133 to be in compliance with this chapter's notification requirements if the procedures are otherwise
134 consistent with this chapter's timing requirements and the person notifies each affected Utah
135 resident in accordance with the person's information security policy in the event of a breach.
136 (c) A person who is regulated by state or federal law and maintains procedures for a
137 breach of system security under applicable law established by the primary state or federal
138 regulator is considered to be in compliance with this part if the person notifies each affected
139 Utah resident in accordance with the other applicable law in the event of a breach.
140 (6) A waiver of this section is contrary to public policy and is void and unenforceable.
141 (7) This section does not apply to a person who is an agency.
142 Section 4. Section 13-44-301 is amended to read:
143 13-44-301. Enforcement -- Confidentiality agreement -- Penalties.
144 (1) The attorney general may enforce this chapter's provisions.
145 (2) (a) Nothing in this chapter creates a private right of action.
146 (b) Nothing in this chapter affects any private right of action existing under other law,
147 including contract or tort.
148 (3) A person who violates this chapter's provisions is subject to a civil penalty of:
149 (a) no greater than $2,500 for a violation or series of violations concerning a specific
150 consumer; and
151 (b) no greater than $100,000 in the aggregate for related violations concerning more
152 than one consumer, unless:
153 (i) the violations concern:
154 (A) 10,000 or more consumers who are residents of the state; and
155 (B) 10,000 or more consumers who are residents of other states; or
156 (ii) the person agrees to settle for a greater amount.
157 (4) (a) In addition to the penalties provided in Subsection (3), the attorney general may
158 seek, in an action brought under this chapter:
159 (i) injunctive relief to prevent future violations of this chapter; and
160 (ii) attorney fees and costs.
161 (b) The attorney general shall bring an action under this chapter in:
162 (i) the district court located in Salt Lake City; or
163 (ii) the district court for the district in which resides a consumer who is affected by the
164 violation.
165 (5) The attorney general shall deposit any amount received under Subsection (3), (4),
166 or (10) into the Attorney General Litigation Fund created in Section 76-10-3114.
167 (6) In enforcing this chapter, the attorney general may:
168 (a) investigate the actions of any person alleged to violate Section 13-44-201 or
169 13-44-202;
170 (b) subpoena a witness;
171 (c) subpoena a document or other evidence;
172 (d) require the production of books, papers, contracts, records, or other information
173 relevant to an investigation;
174 (e) conduct an adjudication in accordance with Title 63G, Chapter 4, Administrative
175 Procedures Act, to enforce a civil provision under this chapter; and
176 (f) enter into a confidentiality agreement in accordance with Subsection (7).
177 (7) (a) If the attorney general has reasonable cause to believe that an individual is in
178 possession, custody, or control of information that is relevant to enforcing this chapter, the
179 attorney general may enter into a confidentiality agreement with the individual.
180 (b) In a civil action brought under this chapter, a court may issue a confidentiality order
181 that incorporates the confidentiality agreement described in Subsection (7)(a).
182 (c) A confidentiality agreement entered into under Subsection (7)(a) or a
183 confidentiality order issued under Subsection (7)(b) may:
184 (i) address a procedure;
185 (ii) address testimony taken, a document produced, or material produced under this
186 section;
187 (iii) provide whom may access testimony taken, a document produced, or material
188 produced under this section;
189 (iv) provide for safeguarding testimony taken, a document produced, or material
190 produced under this section; or
191 (v) require that the attorney general:
192 (A) return a document or material to an individual; or
193 (B) notwithstanding Section 63A-12-105 or a retention schedule created in accordance
194 with Section 63G-2-604, destroy the document or material at a designated time.
195 (8) A subpoena issued under Subsection (6) may be served by certified mail.
196 (9) A person's failure to respond to a request or subpoena from the attorney general
197 under Subsection (6)(b), (c), or (d) is a violation of this chapter.
198 (10) (a) The attorney general may inspect and copy all records related to the business
199 conducted by the person alleged to have violated this chapter, including records located outside
200 the state.
201 (b) For records located outside of the state, the person who is found to have violated
202 this chapter shall pay the attorney general's expenses to inspect the records, including travel
203 costs.
204 (c) Upon notification from the attorney general of the attorney general's intent to
205 inspect records located outside of the state, the person who is found to have violated this
206 chapter shall pay the attorney general $500, or a higher amount if $500 is estimated to be
207 insufficient, to cover the attorney general's expenses to inspect the records.
208 (d) To the extent an amount paid to the attorney general by a person who is found to
209 have violated this chapter is not expended by the attorney general, the amount shall be refunded
210 to the person who is found to have violated this chapter.
211 (e) The Division of Corporations and Commercial Code or any other relevant entity
212 shall revoke any authorization to do business in this state of a person who fails to pay any
213 amount required under this Subsection (10).
214 (11) (a) Subject to Subsection (11)(c), the attorney general shall keep confidential a
215 procedure agreed to, testimony taken, a document produced, or material produced under this
216 section pursuant to a subpoena, confidentiality agreement, or confidentiality order, unless the
217 individual who agreed to the procedure, provided testimony, produced the document, or
218 produced material waives confidentiality in writing.
219 (b) Subject to Subsections (11)(c) and (11)(d), the attorney general may use, in an
220 enforcement action taken under this section, testimony taken, a document produced, or material
221 produced under this section to the extent the use is not restricted or prohibited by a
222 confidentiality agreement or a confidentiality order.
223 (c) The attorney general may use, in an enforcement action taken under this section,
224 testimony taken, a document produced, or material produced under this section that is restricted
225 or prohibited from use by a confidentiality agreement or a confidentiality order if the individual
226 who provided testimony or produced the document or material waives the restriction or
227 prohibition in writing.
228 (d) The attorney general may disclose testimony taken, a document produced, or
229 material produced under this section, without consent of the individual who provided the
230 testimony or produced the document or material, or the consent of an individual being
231 investigated, to:
232 (i) a grand jury; or
233 (ii) a federal or state law enforcement officer, if the person from whom the information
234 was obtained is notified 20 days or greater before the day on which the information is
235 disclosed, and the federal or state law enforcement officer certifies that the federal or state law
236 enforcement officer will:
237 (A) maintain the confidentiality of the testimony, document, or material; and
238 (B) use the testimony, document, or material solely for an official law enforcement
239 purpose.
240 (12) (a) An administrative action filed under this chapter shall be commenced no later
241 than 10 years after the day on which the alleged breach of system security last occurred.
242 (b) A civil action under this chapter shall be commenced no later than five years after
243 the day on which the alleged breach of system security last occurred.
244 (13) This section does not apply to a person who is an agency.
245 Section 5. Section 13-44-401 is enacted to read:
246
247 13-44-401. Agency protection of personal information.
248 (1) Any agency who maintains personal information shall implement and maintain
249 reasonable procedures to:
250 (a) prevent unlawful use or disclosure of personal information the agency collects; and
251 (b) destroy, or arrange for the destruction of, records containing personal information
252 that the agency is not retaining.
253 (2) The agency shall destroy the records under Subsection (1)(b) by:
254 (a) shredding;
255 (b) erasing; or
256 (c) otherwise modifying the personal information to make the personal information
257 indecipherable.
258 Section 6. Section 13-44-402 is enacted to read:
259 13-44-402. Computerized data -- Disclosure of system security breach.
260 (1) (a) An agency who owns or licenses computerized data that includes personal
261 information concerning a Utah resident shall, when the agency becomes aware of a breach of
262 system security, conduct in good faith a reasonable and prompt investigation to determine the
263 likelihood that the personal information concerning the Utah resident has been or will be
264 misused for identity theft or fraud purposes.
265 (b) If an investigation under Subsection (1)(a) reveals that the misuse of personal
266 information for identity theft or fraud purposes has occurred, or is reasonably likely to occur,
267 the agency shall provide notice to each affected Utah resident.
268 (2) An agency required to provide notice under Subsection (1) shall provide the notice
269 in the most expedient time possible without unreasonable delay:
270 (a) considering legitimate investigative needs of law enforcement, as provided in
271 Subsection (4)(a);
272 (b) after determining the scope of the breach of system security; and
273 (c) after restoring the reasonable integrity of the system.
274 (3) (a) An agency who maintains computerized data that includes personal information
275 that the agency does not own or license shall notify and cooperate with the owner or licensee of
276 the information of any breach of system security immediately following the agency's discovery
277 of the breach if misuse of the personal information occurs or is reasonably likely to occur.
278 (b) Cooperation under Subsection (3)(a) includes sharing information relevant to the
279 breach with the owner or licensee of the information.
280 (4) (a) Notwithstanding Subsection (2), an agency may delay providing notice under
281 Subsection (1) at the request of a law enforcement agency that determines that notice may
282 impede a criminal investigation.
283 (b) An agency who delays providing notice under Subsection (4)(a) shall provide
284 notice in good faith without unreasonable delay in the most expedient time possible after the
285 law enforcement agency informs the person that notice will no longer impede the criminal
286 investigation.
287 (5) (a) An agency must provide notice:
288 (i) in writing by first-class mail to the most recent address the agency has for the Utah
289 resident;
290 (ii) electronically, if the agency's primary method of communication with the Utah
291 resident is by electronic means, or if provided in accordance with the consumer disclosure
292 provisions of 15 U.S.C. Section 7001;
293 (iii) by telephone, including through the use of automatic dialing technology not
294 prohibited by law; or
295 (iv) for Utah residents for whom notification in a manner described in Subsections
296 (5)(a)(i) through (iii) is not feasible, by publishing notice of the breach of system security:
297 (A) in a newspaper of general circulation; and
298 (B) as required in Section 45-1-101.
299 (b) An agency may adopt an agency's own notification procedures as part of an
300 information security policy for the treatment of personal information if:
301 (i) the adopted procedures are consistent with this part's timing requirements; and
302 (ii) the agency notifies each affected Utah resident in accordance with the agency's
303 information security policy in the event of a breach.
304 (c) An agency who is regulated by state or federal law and maintains procedures for a
305 breach of system security under applicable law established by the primary state or federal
306 regulator is in compliance with this part if the agency notifies each affected Utah resident in
307 accordance with the applicable state or federal law in the event of a breach.
308 (6) If an agency is required to notify more than 1,000 Utah residents in compliance
309 with this section, the agency shall also notify, in good faith without unreasonable delay in the
310 most expedient time possible:
311 (a) the attorney general; and
312 (b) all consumer reporting agencies that compile and maintain files on a nationwide
313 basis, as defined in 15 U.S.C. Sec. 1681a(p), of the anticipated date of the notification to the
314 residents and the approximate number of residents the agency will notify.
315 (7) A person may not waive an agency's requirement to comply with this section.
316 Section 7. Section 13-44-403 is enacted to read:
317 13-44-403. Attorney general enforcement.
318 The attorney general may bring an action for injunctive relief to enforce the provisions
319 of this part.