This document includes Senate 2nd Reading Floor Amendments incorporated into the bill on Mon, Feb 13, 2023 at 2:53 PM by jgrandia.
This document includes Senate 2nd Reading Floor Amendments incorporated into the bill on Tue, Feb 14, 2023 at 9:46 AM by lpoole.
This document includes House Floor Amendments incorporated into the bill on Wed, Mar 1, 2023 at 5:40 PM by pflowers.
Senator Wayne A. Harper proposes the following substitute bill:


1     
CYBERSECURITY AMENDMENTS

2     
2023 GENERAL SESSION

3     
STATE OF UTAH

4     
Chief Sponsor: Wayne A. Harper

5     
House Sponsor: Jefferson S. Burton

6     

7     LONG TITLE
8     General Description:
9          This bill enacts provisions relating to cybersecurity.
10     Highlighted Provisions:
11          This bill:
12          ▸     amends the disclosure requirement for system security breaches;
13          ▸     requires the Division of Technology Services to report certain information regarding
14     consolidation of networks used by governmental entities;
15          ▸     creates the Utah Cyber Center and defines the center's duties;
16          ▸     requires governmental entities in the state to report a breach of system security to
17     the Utah Cyber Center; and
18          ▸     requires governmental websites to use an authorized top level domain by January 1,
19     2025.
20     Money Appropriated in this Bill:
21          None
22     Other Special Clauses:
23          None
24     Utah Code Sections Affected:
25     AMENDS:
26          13-44-202, as last amended by Laws of Utah 2019, Chapter 348
27     ENACTS:
28          63A-16-302.1, Utah Code Annotated 1953
29          63A-16-510, Utah Code Annotated 1953
30          63A-16-511, Utah Code Annotated 1953
31          63D-2-105, Utah Code Annotated 1953
32     

33     Be it enacted by the Legislature of the state of Utah:
34          Section 1. Section 13-44-202 is amended to read:
35          13-44-202. Personal information -- Disclosure of system security breach.
36          (1) (a) A person who owns or licenses computerized data that includes personal
37     information concerning a Utah resident shall, when the person becomes aware of a breach of
38     system security, conduct in good faith a reasonable and prompt investigation to determine the
39     likelihood that personal information has been or will be misused for identity theft or fraud
40     purposes.
41          (b) If an investigation under Subsection (1)(a) reveals that the misuse of personal
42     information for identity theft or fraud purposes has occurred, or is reasonably likely to occur,
43     the person shall provide notification to Ĥ→ [:] each affected Utah resident. ←Ĥ
44          Ĥ→ [(i) each affected Utah resident[.];
45          (ii) the Office of the Attorney General; and
46          (iii) the Utah Cyber Center created in Section 62A-16-510.]
46a     (c) If an investigation under Subsection (1)(a) reveals that the misuse of personal information
46b     relating to 500 or more Utah residents, for identity theft or fraud purposes, has occurred or is
46c     reasonably likely to occur, the person shall, in addition to the notification required in
46d     Subsection (1)(b), provide notification to:
46e     (i) the Office of the Attorney General; and
46f     (ii) the Utah Cyber Center created in Section 62A-16-510.
46g     (d) If an investigation under Subsection (1)(a) reveals that the misuse of personal information
46h     relating to 1,000 or more Utah residents, for identity theft or fraud purposes, has occurred or
46i     is reasonably likely to occur, the person shall, in addition to the notification required in
46j     Subsections (1)(b) and (c), provide notification to each consumer reporting agency that
46k     compiles and maintains files on consumers on a nationwide basis, as defined in 15 U.S.C. Sec.
46l     1681a. ←Ĥ
47          (2) A person required to provide notification under Subsection (1) shall provide the
48     notification in the most expedient time possible without unreasonable delay:
49          (a) considering legitimate investigative needs of law enforcement, as provided in
50     Subsection (4)(a);
51          (b) after determining the scope of the breach of system security; and
52          (c) after restoring the reasonable integrity of the system.
53          (3) (a) A person who maintains computerized data that includes personal information
54     that the person does not own or license shall notify and cooperate with the owner or licensee of
55     the information of any breach of system security immediately following the person's discovery
56     of the breach if misuse of the personal information occurs or is reasonably likely to occur.
57          (b) Cooperation under Subsection (3)(a) includes sharing information relevant to the
58     breach with the owner or licensee of the information.
59          (4) (a) Notwithstanding Subsection (2), a person may delay providing notification
60     under Subsection (1)(b) Ĥ→ [(i)] ←Ĥ at the request of a law enforcement agency that determines
60a     that
61     notification may impede a criminal investigation.
62          (b) A person who delays providing notification under Subsection (4)(a) shall provide
63     notification in good faith without unreasonable delay in the most expedient time possible after
64     the law enforcement agency informs the person that notification will no longer impede the
65     criminal investigation.
66          (5) (a) A notification required by [this section] Subsection (1)(b) Ĥ→ [(i)] ←Ĥ may be
66a     provided:
67          (i) in writing by first-class mail to the most recent address the person has for the
68     resident;
69          (ii) electronically, if the person's primary method of communication with the resident is
70     by electronic means, or if provided in accordance with the consumer disclosure provisions of
71     15 U.S.C. Section 7001;
72          (iii) by telephone, including through the use of automatic dialing technology not
73     prohibited by other law; or
74          (iv) for residents of the state for whom notification in a manner described in
75     Subsections (5)(a)(i) through (iii) is not feasible, by publishing notice of the breach of system
76     security:
77          (A) in a newspaper of general circulation; and
78          (B) as required in Section 45-1-101.
79          (b) If a person maintains the person's own notification procedures as part of an
80     information security policy for the treatment of personal information the person is considered
81     to be in compliance with [this chapter's notification requirements] the notification requirement
82     in Subsection (1)(b) Ĥ→ [(i)] ←Ĥ if the procedures are otherwise consistent with this chapter's
82a     timing
83     requirements and the person notifies each affected Utah resident in accordance with the
84     person's information security policy in the event of a breach.
85          (c) A person who is regulated by state or federal law and maintains procedures for a
86     breach of system security under applicable law established by the primary state or federal
87     regulator is considered to be in compliance with this part if the person notifies each affected
88     Utah resident in accordance with the other applicable law in the event of a breach.
88a     Ĥ→ (6) (a) If a person providing a notification under Subsection (1)(c) to the Office of the
88b     Attorney General or the Utah Cyber Center submits the information required under Section
88c     63G-2-309(1)(a)(i), records submitted to the Office of the Attorney General or the Utah Cyber
88d     Center under Subsection (1)(c) and information produced by the Office of the Attorney
88e     General or the Utah Cyber Center for any coordination or assistance provided to the person
88f     are presumed to be confidential and are a protected record under Subsections 63G-2-305(1)
88g     and (2).
88h     (b) The department may disclose information provided by a person under Subsection (1)(c) or
88i     produced as described in Subsection (6)(a) only if:
88j     (i) disclosure is necessary to prevent imminent and substantial harm; or
88k     (ii) the information is anonymized or aggregated in a manner that makes it unlikely that
88l     information that is a trade secret, as defined in Section 13-24-2, will be disclosed. ←Ĥ
89          Ĥ→ [(6)] (7) ←Ĥ A waiver of this section is contrary to public policy and is void and
89a     unenforceable.
90          Section 2. Section 63A-16-302.1 is enacted to read:
91          63A-16-302.1. Reporting on consolidation of certain information technology
92     services.
93          (1) The division shall, in collaboration with the Cybersecurity Commission created in
94     Section 63C-27-201, identify opportunities, limitations, and barriers to enhancing the overall
95     cybersecurity resilience of the state by consolidating:
96          (a) certain information technology services utilized by governmental entities; and
97          (b) to the extent feasible, the information technology networks that are operated or
98     utilized by governmental entities.
99          (2) On or before November 15, 2023, the division shall report the information
100     described in Subsection (1) to:
101          (a) the Government Operations Interim Committee;
102          (b) the Infrastructure and General Government Appropriations Subcommittee; and
103          (c) the Cybersecurity Commission created in Section 63C-27-201.
104          Section 3. Section 63A-16-510 is enacted to read:
105          63A-16-510. Utah Cyber Center -- Creation -- Duties.
106          (1) As used in this section:
107          (a) "Governmental entity" means the same as that term is defined in Section
108     63G-2-103.
109          (b) "Utah Cyber Center" means the Utah Cyber Center created in this section.
110          (2) (a) There is created within the division the Utah Cyber Center.
111          (b) The chief information security officer appointed under Section 63A-16-210 shall
112     serve as the director of the Utah Cyber Center.
113          (3) The division shall operate the Utah Cyber Center in partnership with the following
114     entities within the Department of Public Safety:
115          (a) the Statewide Information and Analysis Center;
116          (b) the State Bureau of Investigation; and
117          (c) the Division of Emergency Management.
118          (4) In addition to the entities described in Subsection (3), the Utah Cyber Center shall
119     collaborate with:
120          (a) the Cybersecurity Commission created in Section 63C-27-201;
121          (b) the Office of the Attorney General;
121a     Ŝ→ (c) the Utah Education and Telehealth Network created in Section 53B-17-105; ←Ŝ
122          Ŝ→ [(c)] (d) ←Ŝ appropriate federal partners, including the Federal Bureau of Investigation
122a     and the
123     Cybersecurity and Infrastructure Security Agency;
124          Ŝ→ [(d)] (e) ←Ŝ appropriate information sharing and analysis centers;
125          Ŝ→ [(e)] (f) ←Ŝ associations representing political subdivisions in the state, including the
125a     Utah
126     League of Cities and Towns and the Utah Association of Counties; and
127          Ŝ→ [(f)] (g) ←Ŝ any other person the division believes is necessary to carry out the duties
127a     described
128     in Subsection (5).
129          (5) The Utah Cyber Center shall, within legislative appropriations:
130          (a) by June 30, 2024, develop a statewide strategic cybersecurity plan for executive
131     branch agencies and other governmental entities;
132          (b) with respect to executive branch agencies:
133          (i) identify, analyze, and, when appropriate, mitigate cyber threats and vulnerabilities;
134          (ii) coordinate cybersecurity resilience planning;
135          (iii) provide cybersecurity incident response capabilities; and
136          (iv) recommend to the division standards, policies, or procedures to increase the cyber
137     resilience of executive branch agencies individually or collectively;
138          (c) at the request of a governmental entity, coordinate cybersecurity incident response
139     for an incident affecting the governmental entity in accordance with Section 63A-16-511;
140          (d) promote cybersecurity best practices;
141          (e) share cyber threat intelligence with governmental entities and, through the
142     Statewide Information and Analysis Center, with other public and private sector organizations;
143          (f) serve as the state cybersecurity incident response hotline to receive reports of
144     breaches of system security, including notification or disclosure under Section 13-44-202 or
145     63A-16-511;
146          (g) develop incident response plans to coordinate federal, state, local, and private
147     sector activities and manage the risks associated with an attack or malfunction of critical
148     information technology systems within the state;
149          (h) coordinate, develop, and share best practices for cybersecurity resilience in the
150     state;
151          (i) identify sources of funding to make cybersecurity improvements throughout the
152     state;
153          (j) develop a sharing platform to provide resources based on the information,
154     recommendations, and best practices; and
155          (k) partner with institutions of higher education and other public and private sector
156     organizations to increase the state's cyber resilience.
157          Section 4. Section 63A-16-511 is enacted to read:
158          63A-16-511. Reporting to the Utah Cyber Center -- Assistance to governmental
159     entities -- Records.
160          (1) As used in this section:
161          (a) "Governmental entity" means the same as that term is defined in Section
162     63G-2-103.
163          (b) "Utah Cyber Center" means the Utah Cyber Center created in Section 62A-16-510.
164          (2) A governmental entity shall contact the Utah Cyber Center as soon as practicable
165     when the governmental entity becomes aware of a breach of system security.
166          (3) The Utah Cyber Center shall provide the governmental entity with assistance in
167     responding to the breach of system security, which may include:
168          (a) conducting all or part of the investigation required under Subsection
169     13-44-202(1)(a);
170          (b) assisting law enforcement with the law enforcement investigation if needed;
171          (c) determining the scope of the breach of system security;
172          (d) assisting the governmental entity in restoring the reasonable integrity of the system;
173     or
174          (e) providing any other assistance in response to the reported breach of system security.
175          (4) (a) A person providing information to the Utah Cyber Center may submit the
176     information required in Section 63G-2-309 to request that the information submitted by the
177     person and information produced by the Utah Cyber Center in the course of the Utah Cyber
178     Center's investigation be classified as a confidential protected record.
179          (b) Information submitted to the Utah Cyber Center under Subsection 13-44-202(1)(b)
180     regarding a breach of system security may include information regarding the type of breach, the
181     attack vector, attacker, indicators of compromise, and other details of the breach that are
182     requested by the Utah Cyber Center.
183          (c) A governmental entity that is required to submit information under Section
184     63A-16-511 shall provide records to the Utah Cyber Center as a shared record in accordance
185     with Section 63G-2-206.
186          Section 5. Section 63D-2-105 is enacted to read:
187          63D-2-105. Use of authorized domain extensions for government websites.
188          (1) (a) As used in this section, "authorized top level domain" means any of the
189     following suffixes that follows the domain name in a website address:
190          (i) gov;
191          (ii) edu; and
192          (iii) mil.
193          (2) Beginning January 1, 2025, a governmental entity shall use an authorized top level
194     domain for:
195          (a) the website address for the governmental entity's government website; and
196          (b) the email addresses used by the governmental entity and the governmental entity's
197     employees.
198          (3) Notwithstanding Subsection (2), a governmental entity may operate a website that
199     uses a top level domain that is not an authorized top level domain if:
200          (a) a reasonable person would not mistake the website as the governmental entity's
201     primary website; and
202          (b) the governmental website is:
203          (i) solely for internal use and not intended for use by members of the public;
204          (ii) temporary and in use by the governmental entity for a period of less than one year;
205     or
206          (iii) related to an event, program, or informational campaign operated by the
207     governmental entity in partnership with another person that is not a governmental entity.
208          (4) The chief information officer appointed under Section 63A-16-201 may authorize a
209     waiver of the requirement in Subsection (2) if:
210          (a) there are extraordinary circumstances under which use of an authorized domain
211     extension would cause demonstrable harm to citizens or businesses; and
212          (b) the executive director or chief executive of the governmental entity submits a
213     written request to the chief information officer that includes a justification for the waiver.