2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill enacts provisions relating to cybersecurity.
10 Highlighted Provisions:
11 This bill:
12 ▸ amends the disclosure requirement for system security breaches;
13 ▸ requires the Division of Technology Services to report certain information regarding
14 consolidation of networks used by governmental entities;
15 ▸ creates the Utah Cyber Center and defines the center's duties;
16 ▸ requires governmental entities in the state to report a breach of system security to
17 the Utah Cyber Center;
18 ▸ amends the duties of the Cybersecurity Commission; and
19 ▸ requires governmental websites to use an authorized top level domain by January 1,
20 2025.
21 Money Appropriated in this Bill:
22 None
23 Other Special Clauses:
24 None
25 Utah Code Sections Affected:
26 AMENDS:
27 13-44-202, as last amended by Laws of Utah 2019, Chapter 348
28 63C-27-202, as enacted by Laws of Utah 2022, Chapter 153
29 ENACTS:
30 63A-16-302.1, Utah Code Annotated 1953
31 63A-16-510, Utah Code Annotated 1953
32 63A-16-511, Utah Code Annotated 1953
33 63D-2-105, Utah Code Annotated 1953
34
35 Be it enacted by the Legislature of the state of Utah:
36 Section 1. Section 13-44-202 is amended to read:
37 13-44-202. Personal information -- Disclosure of system security breach.
38 (1) (a) A person who owns or licenses computerized data that includes personal
39 information concerning a Utah resident shall, when the person becomes aware of a breach of
40 system security, conduct in good faith a reasonable and prompt investigation to determine the
41 likelihood that personal information has been or will be misused for identity theft or fraud
42 purposes.
43 (b) If an investigation under Subsection (1)(a) reveals that the misuse of personal
44 information for identity theft or fraud purposes has occurred, or is reasonably likely to occur,
45 the person shall provide notification to:
46 (i) each affected Utah resident[
47 (ii) the Office of the Attorney General; and
48 (iii) the Utah Cyber Center created in Section 62A-16-510.
49 (2) A person required to provide notification under Subsection (1) shall provide the
50 notification in the most expedient time possible without unreasonable delay:
51 (a) considering legitimate investigative needs of law enforcement, as provided in
52 Subsection (4)(a);
53 (b) after determining the scope of the breach of system security; and
54 (c) after restoring the reasonable integrity of the system.
55 (3) (a) A person who maintains computerized data that includes personal information
56 that the person does not own or license shall notify and cooperate with the owner or licensee of
57 the information of any breach of system security immediately following the person's discovery
58 of the breach if misuse of the personal information occurs or is reasonably likely to occur.
59 (b) Cooperation under Subsection (3)(a) includes sharing information relevant to the
60 breach with the owner or licensee of the information.
61 (4) (a) Notwithstanding Subsection (2), a person may delay providing notification
62 under Subsection (1)(b)(i) at the request of a law enforcement agency that determines that
63 notification may impede a criminal investigation.
64 (b) A person who delays providing notification under Subsection (4)(a) shall provide
65 notification in good faith without unreasonable delay in the most expedient time possible after
66 the law enforcement agency informs the person that notification will no longer impede the
67 criminal investigation.
68 (5) (a) A notification required by [
69 (i) in writing by first-class mail to the most recent address the person has for the
70 resident;
71 (ii) electronically, if the person's primary method of communication with the resident is
72 by electronic means, or if provided in accordance with the consumer disclosure provisions of
73 15 U.S.C. Section 7001;
74 (iii) by telephone, including through the use of automatic dialing technology not
75 prohibited by other law; or
76 (iv) for residents of the state for whom notification in a manner described in
77 Subsections (5)(a)(i) through (iii) is not feasible, by publishing notice of the breach of system
78 security:
79 (A) in a newspaper of general circulation; and
80 (B) as required in Section 45-1-101.
81 (b) If a person maintains the person's own notification procedures as part of an
82 information security policy for the treatment of personal information the person is considered
83 to be in compliance with [
84 in Subsection (1)(b)(i) if the procedures are otherwise consistent with this chapter's timing
85 requirements and the person notifies each affected Utah resident in accordance with the
86 person's information security policy in the event of a breach.
87 (c) A person who is regulated by state or federal law and maintains procedures for a
88 breach of system security under applicable law established by the primary state or federal
89 regulator is considered to be in compliance with this part if the person notifies each affected
90 Utah resident in accordance with the other applicable law in the event of a breach.
91 (6) A waiver of this section is contrary to public policy and is void and unenforceable.
92 Section 2. Section 63A-16-302.1 is enacted to read:
93 63A-16-302.1. Reporting on consolidation of certain information technology
94 services.
95 (1) The division shall, in collaboration with the Cybersecurity Commission created in
96 Section 63C-27-201, identify opportunities, limitations, and barriers to enhancing the overall
97 cybersecurity resilience of the state by consolidating:
98 (a) certain information technology services utilized by governmental entities; and
99 (b) to the extent feasible, the information technology networks that are operated or
100 utilized by governmental entities.
101 (2) On or before November 15, 2023, the division shall report the information
102 described in Subsection (1) to:
103 (a) the Government Operations Interim Committee;
104 (b) the Infrastructure and General Government Appropriations Subcommittee; and
105 (c) the Cybersecurity Commission created in Section 63C-27-201.
106 Section 3. Section 63A-16-510 is enacted to read:
107 63A-16-510. Utah Cyber Center -- Creation -- Duties.
108 (1) As used in this section:
109 (a) "Governmental entity" means the same as that term is defined in Section
110 63G-2-103.
111 (b) "Utah Cyber Center" means the Utah Cyber Center created in this section.
112 (2) (a) There is created within the division the Utah Cyber Center.
113 (b) The chief information security officer appointed under Section 63A-16-210 shall
114 serve as the director of the Utah Cyber Center.
115 (3) The division shall operate the Utah Cyber Center in partnership with the following
116 entities within the Department of Public Safety:
117 (a) the Statewide Information and Analysis Center;
118 (b) the State Bureau of Investigation; and
119 (c) the Division of Emergency Management.
120 (4) In addition to the entities described in Subsection (3), the Utah Cyber Center shall
121 collaborate with:
122 (a) the Cybersecurity Commission created in Section 63C-27-201;
123 (b) the Office of the Attorney General;
124 (c) appropriate federal partners, including the Federal Bureau of Investigation and the
125 Cybersecurity and Infrastructure Security Agency;
126 (d) appropriate information sharing and analysis centers;
127 (e) associations representing political subdivisions in the state, including the Utah
128 League of Cities and Towns and the Utah Association of Counties; and
129 (f) any other person the division believes is necessary to carry out the duties described
130 in Subsection (5).
131 (5) The Utah Cyber Center shall, within legislative appropriations:
132 (a) develop and maintain a statewide strategic cybersecurity plan for executive branch
133 agencies and other governmental entities;
134 (b) with respect to executive branch agencies:
135 (i) identify, analyze, and, when appropriate, mitigate cyber threats and vulnerabilities;
136 (ii) coordinate cybersecurity resilience planning;
137 (iii) provide cybersecurity incident response capabilities; and
138 (iv) recommend to the division standards, policies, or procedures to increase the cyber
139 resilience of executive branch agencies individually or collectively;
140 (c) at the request of a governmental entity, coordinate cybersecurity incident response
141 for an incident affecting the governmental entity in accordance with Section 63A-16-511;
142 (d) promote cybersecurity best practices;
143 (e) share cyber threat intelligence with governmental entities and, through the State
144 Information and Analysis Center, with other public and private sector organizations;
145 (f) serve as the state cybersecurity incident response hotline to receive reports of
146 breaches of system security, including notification or disclosure under Section 13-44-202 or
147 63A-16-511;
148 (g) develop incident response plans to coordinate federal, state, local, and private
149 sector activities and manage the risks associated with an attack or malfunction of critical
150 information technology systems within the state; and
151 (h) coordinate, develop, and share best practices for cybersecurity resilience in the
152 state.
153 Section 4. Section 63A-16-511 is enacted to read:
154 63A-16-511. Reporting to the Utah Cyber Center -- Assistance to governmental
155 entities.
156 (1) As used in this section:
157 (a) "Governmental entity" means the same as that term is defined in Section
158 63G-2-103.
159 (b) "Utah Cyber Center" means the Utah Cyber Center created in Section 62A-16-510.
160 (2) A governmental entity shall contact the Utah Cyber Center as soon as practicable
161 when the governmental entity becomes aware of a breach of system security.
162 (3) The Utah Cyber Center shall provide the governmental entity with assistance in
163 responding to the breach of system security, which may include:
164 (a) conducting all or part of the investigation required under Subsection
165 13-44-202(1)(a);
166 (b) assisting law enforcement with the law enforcement investigation if needed;
167 (c) determining the scope of the breach of system security;
168 (d) assisting the governmental entity in restoring the reasonable integrity of the system;
169 or
170 (e) providing any other assistance in response to the reported breach of system security.
171 Section 5. Section 63C-27-202 is amended to read:
172 63C-27-202. Commission duties.
173 The commission shall:
174 (1) identify and inform the governor of:
175 (a) cyber threats and vulnerabilities towards Utah's critical infrastructure;
176 (b) cybersecurity assets and resources;
177 (c) an analysis of:
178 (i) current cyber incident response capabilities;
179 (ii) potential cyber threats; and
180 (iii) areas of significant concern with respect to:
181 (A) vulnerability to cyber attack; or
182 (B) seriousness of consequences in the event of a cyber attack;
183 (2) provide resources with respect to cyber attacks in both the public and private sector,
184 including:
185 (a) best practices;
186 (b) education; and
187 (c) mitigation;
188 (3) promote cyber security awareness;
189 (4) share information;
190 (5) promote best practices to prevent and mitigate cyber attacks;
191 (6) enhance cyber capabilities and response for all Utahns;
192 (7) provide consistent outreach and collaboration with private and public sector
193 organizations; [
194 (8) share cyber threat intelligence to operators and overseers of Utah's critical
195 infrastructure[
196 (9) identify sources of funding to make cybersecurity improvements throughout the
197 state;
198 (10) develop a sharing platform to provide resources based on the information,
199 recommendations, and best practices developed under Subsection (1); and
200 (11) partner with institutions of higher education and other public and private sector
201 organizations to increase the state's cyber resilience.
202 Section 6. Section 63D-2-105 is enacted to read:
203 63D-2-105. Use of authorized domain extensions for government websites.
204 (1) (a) As used in this section, "authorized top level domain" means any of the
205 following suffixes that follows the domain name in a website address:
206 (i) gov;
207 (ii) edu; and
208 (iii) mil.
209 (2) Beginning January 1, 2025, a governmental entity shall use an authorized top level
210 domain for:
211 (a) the website address for the governmental entity's government website; and
212 (b) the email addresses used by the governmental entity and the governmental entity's
213 employees.
214 (3) Notwithstanding Subsection (2), a governmental entity may operate a website that
215 uses a top level domain that is not an authorized top level domain if:
216 (a) a reasonable person would not mistake the website as the governmental entity's
217 primary website; and
218 (b) the governmental website is:
219 (i) solely for internal use and not intended for use by members of the public;
220 (ii) temporary and in use by the governmental entity for a period of less than one year;
221 or
222 (iii) related to an event, program, or informational campaign operated by the
223 governmental entity in partnership with another person that is not a governmental entity.
224 (4) The chief information officer appointed under Section 63A-16-201 may authorize a
225 waiver of the requirement in Subsection (2) if:
226 (a) there are extraordinary circumstances under which use of an authorized domain
227 extension would cause demonstrable harm to citizens or businesses; and
228 (b) the executive director or chief executive of the governmental entity submits a
229 written request to the chief information officer that includes a justification for the waiver.