This document includes House Committee Amendments incorporated into the bill on Tue, Feb 13, 2024 at 11:30 AM by housengrossing.
1
2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill amends provisions related to cybersecurity, breach notification requirements,
10 and authorized domain name extensions.
11 Highlighted Provisions:
12 This bill:
13 ▸ defines terms;
14 ▸ makes technical and conforming changes;
15 ▸ describes a person's breach notification responsibilities to the Utah Cyber Center;
16 and
17 ▸ describes a governmental entity's reporting responsibilities to the Utah Cyber
18 Center.
19 Money Appropriated in this Bill:
20 None
21 Other Special Clauses:
22 None
23 Utah Code Sections Affected:
24 AMENDS:
25 13-44-202, as last amended by Laws of Utah 2023, Chapter 496
26 63D-2-102, as last amended by Laws of Utah 2023, Chapter 275
27 63D-2-105, as enacted by Laws of Utah 2023, Chapter 496
28 ENACTS:
29 63A-16-1101, Utah Code Annotated 1953
30 RENUMBERS AND AMENDS:
31 63A-16-1102, (Renumbered from 63A-16-510, as enacted by Laws of Utah 2023,
32 Chapter 496)
33 63A-16-1103, (Renumbered from 63A-16-511, as enacted by Laws of Utah 2023,
34 Chapter 496)
35
36 Be it enacted by the Legislature of the state of Utah:
37 Section 1. Section 13-44-202 is amended to read:
38 13-44-202. Personal information -- Disclosure of system security breach.
39 (1) (a) A person who owns or licenses computerized data that includes personal
40 information concerning a Utah resident shall, when the person becomes aware of a breach of
41 system security, conduct in good faith a reasonable and prompt investigation to determine the
42 likelihood that personal information has been or will be misused for identity theft or fraud
43 purposes.
44 (b) If an investigation under Subsection (1)(a) reveals that the misuse of personal
45 information for identity theft or fraud purposes has occurred, or is reasonably likely to occur,
46 the person shall provide notification to each affected Utah resident.
47 (c) If an investigation under Subsection (1)(a) reveals that the misuse of personal
48 information relating to 500 or more Utah residents, for identity theft or fraud purposes, has
49 occurred or is reasonably likely to occur, the person shall, in addition to the notification
50 required in Subsection (1)(b), provide notification to:
51 (i) the Office of the Attorney General; and
52 (ii) the Utah Cyber Center created in Section [
53 (d) If an investigation under Subsection (1)(a) reveals that the misuse of personal
54 information relating to 1,000 or more Utah residents, for identity theft or fraud purposes, has
55 occurred or is reasonably likely to occur, the person shall, in addition to the notification
56 required in Subsections (1)(b) and (c), provide notification to each consumer reporting agency
57 that compiles and maintains files on consumers on a nationwide basis, as defined in 15 U.S.C.
58 Sec. 1681a.
59 (2) A person required to provide notification under Subsection (1) shall provide the
60 notification in the most expedient time possible without unreasonable delay:
61 (a) considering legitimate investigative needs of law enforcement, as provided in
62 Subsection (4)(a);
63 (b) after determining the scope of the breach of system security; and
64 (c) after restoring the reasonable integrity of the system.
65 (3) (a) A person who maintains computerized data that includes personal information
66 that the person does not own or license shall notify and cooperate with the owner or licensee of
67 the information of any breach of system security immediately following the person's discovery
68 of the breach if misuse of the personal information occurs or is reasonably likely to occur.
69 (b) Cooperation under Subsection (3)(a) includes sharing information relevant to the
70 breach with the owner or licensee of the information.
71 (4) (a) Notwithstanding Subsection (2), a person may delay providing notification
72 under Subsection (1)(b) at the request of a law enforcement agency that determines that
73 notification may impede a criminal investigation.
74 (b) A person who delays providing notification under Subsection (4)(a) shall provide
75 notification in good faith without unreasonable delay in the most expedient time possible after
76 the law enforcement agency informs the person that notification will no longer impede the
77 criminal investigation.
78 (5) (a) A notification required by Subsection (1)(b) may be provided:
79 (i) in writing by first-class mail to the most recent address the person has for the
80 resident;
81 (ii) electronically, if the person's primary method of communication with the resident is
82 by electronic means, or if provided in accordance with the consumer disclosure provisions of
83 15 U.S.C. Section 7001;
84 (iii) by telephone, including through the use of automatic dialing technology not
85 prohibited by other law; or
86 (iv) for residents of the state for whom notification in a manner described in
87 Subsections (5)(a)(i) through (iii) is not feasible, by publishing notice of the breach of system
88 security:
89 (A) in a newspaper of general circulation; and
90 (B) as required in Section 45-1-101.
91 (b) If a person maintains the person's own notification procedures as part of an
92 information security policy for the treatment of personal information the person is considered
93 to be in compliance with the notification requirement in Subsection (1)(b) if the procedures are
94 otherwise consistent with this chapter's timing requirements and the person notifies each
95 affected Utah resident in accordance with the person's information security policy in the event
96 of a breach.
97 (c) A person who is regulated by state or federal law and maintains procedures for a
98 breach of system security under applicable law established by the primary state or federal
99 regulator is considered to be in compliance with this part if the person notifies each affected
100 Utah resident in accordance with the other applicable law in the event of a breach.
101 (6) (a) [
102
103
104
105
106
107
108 record under Subsections 63G-2-305(1) and (2) if the requirements of Subsection
109 63G-2-309(1)(a)(i) are met:
110 (i) a notification submitted under Subsection (1)(c), including supporting information
111 provided under Subsection (6)(b); and
112 (ii) information produced by the Office of the Attorney General or the Utah Cyber
113 Center in providing coordination or assistance to person providing notification under
114 Subsection (1)(c).
115 (b) A person providing notification under Subsection (1)(c) to the Office of the
116 Attorney General or the Utah Cyber Center of a breach of system security shall include the
117 following information in the notification, to the extent the information is known or available at
118 the time the person provides the notification:
119 (i) the date the breach of system security occurred;
120 (ii) the date the breach of system security was discovered;
121 (iii) the total number of people affected by the breach of system security, including the
122 total number of Utah residents affected;
123 (iv) the type of personal information involved in the breach of system security; and
124 (v) a short description of the breach of system security that occurred.
125 [
126
127 [
128 [
129
130 (7) A waiver of this section is contrary to public policy and is void and unenforceable.
131 Section 2. Section 63A-16-1101 is enacted to read:
132
133 63A-16-1101. Definitions.
134 As used in this part:
135 (1) "Cyber Center" means the Utah Cyber Center created in Section 63A-16-1102.
136 (2) "Data breach" means the unauthorized access, acquisition, disclosure, loss of
137 access, or destruction of:
138 (a) personal data affecting 500 or more individuals; or
139 (b) data that compromises the security, confidentiality, availability, or integrity of the
140 computer systems used or information maintained by the governmental entity.
141 (3) "Governmental entity" means the same as that term is defined in Section
142 63G-2-103.
143 (4) "Personal data" means information that is linked or can be reasonably linked to an
144 identified individual or an identifiable individual.
145 Section 3. Section 63A-16-1102, which is renumbered from Section 63A-16-510 is
146 renumbered and amended to read:
147 [
148 [
149 [
150
151 [
152 [
153 (b) The chief information security officer appointed under Section 63A-16-210 shall
154 serve as the director of the [
155 [
156 following entities within the Department of Public Safety created in Section 53-1-103:
157 (a) the Statewide Information and Analysis Center;
158 (b) the State Bureau of Investigation created in Section 53-10-301; and
159 (c) the Division of Emergency Management created in Section 53-2a-103.
160 [
161 shall collaborate with:
162 (a) the Cybersecurity Commission created in Section 63C-27-201;
163 (b) the Office of the Attorney General;
164 (c) the Utah Education and Telehealth Network created in Section 53B-17-105;
165 (d) appropriate federal partners, including the Federal Bureau of Investigation and the
166 Cybersecurity and Infrastructure Security Agency;
167 (e) appropriate information sharing and analysis centers;
168 (f) [
169
170 directors, cybersecurity professionals, or equivalent individuals representing political
171 subdivisions in the state; and
172 (g) any other person the division believes is necessary to carry out the duties described
173 in Subsection [
174 [
175 (a) by June 30, 2024, develop a statewide strategic cybersecurity plan for [
176
177 (b) with respect to executive branch agencies:
178 (i) identify, analyze, and, when appropriate, mitigate cyber threats and vulnerabilities;
179 (ii) coordinate cybersecurity resilience planning;
180 (iii) provide cybersecurity incident response capabilities; and
181 (iv) recommend to the division standards, policies, or procedures to increase the cyber
182 resilience of executive branch agencies individually or collectively;
183 (c) at the request of a governmental entity, coordinate cybersecurity incident response
184 for [
185 [
186 (d) promote cybersecurity best practices;
187 (e) share cyber threat intelligence with governmental entities and, through the
188 Statewide Information and Analysis Center, with other public and private sector organizations;
189 (f) serve as the state cybersecurity incident response [
190 reports of breaches of system security, including notification or disclosure under Section
191 13-44-202 [
192 (g) develop incident response plans to coordinate federal, state, local, and private
193 sector activities and manage the risks associated with an attack or malfunction of critical
194 information technology systems within the state;
195 (h) coordinate, develop, and share best practices for cybersecurity resilience in the
196 state;
197 (i) identify sources of funding to make cybersecurity improvements throughout the
198 state;
199 (j) develop a sharing platform to provide resources based on information,
200 recommendations, and best practices; and
201 (k) partner with institutions of higher education and other public and private sector
202 organizations to increase the state's cyber resilience.
203 Section 4. Section 63A-16-1103, which is renumbered from Section 63A-16-511 is
204 renumbered and amended to read:
205 [
206 governmental entities -- Records.
207 [
208 [
209
210 [
211
212 [
213 soon as practicable when the governmental entity becomes aware of a data breach [
214
215 (b) When a governmental entity notifies the Cyber Center of a data breach under
216 Subsection (1)(a), the governmental entity shall include the following information:
217 (i) the date Ĥ→ and time ←Ĥ the data breach occurred;
218 (ii) the date Ĥ→ [
219 (iii) the total number of people affected by the data breach, including the total number
220 of Utah residents affected;
221 (iv) the type of personal data involved in the data breach;
222 (v) a short description of the data breach that occurred;
223 (vi) the path or means by which access was gained to the system, computer, or
224 network, if known;
225 (vii) the individual or entity who perpetrated the data breach, if known;
226 (viii) steps the governmental entity is taking or has taken to mitigate the impact of the
227 data breach; and
228 (ix) any other details requested by the Cyber Center.
229 [
230 in responding to the data breach [
231 (a) conducting all or part of [
232
233 (b) assisting law enforcement with the law enforcement investigation if needed;
234 (c) determining the scope of the data breach [
235 (d) assisting the governmental entity in restoring the reasonable integrity of the system;
236 or
237 (e) providing any other assistance in response to the reported data breach [
238
239 [
240
241
242
243 [
244
245
246
247 [
248 [
249 in accordance with Section 63G-2-206.
250 (b) The following information may be deemed confidential and may only be shared as
251 provided in Subsection 63G-2-206:
252 (i) the information provided to the Cyber Center by a governmental entity under
253 Subsections (1)(b)(vi) through (ix); and
254 (ii) information produced by the Cyber Center in response to a report of a data breach
255 under Subsection (2).
256 Section 5. Section 63D-2-102 is amended to read:
257 63D-2-102. Definitions.
258 As used in this chapter:
259 (1) (a) "Collect" means the gathering of personally identifiable information:
260 (i) from a user of a governmental website; or
261 (ii) about a user of the governmental website.
262 (b) "Collect" includes use of any identifying code linked to a user of a governmental
263 website.
264 (2) "Court website" means a website on the Internet that is operated by or on behalf of
265 any court created in Title 78A, Chapter 1, Judiciary.
266 (3) "Governmental entity" means:
267 (a) an executive branch agency as defined in Section 63A-16-102;
268 (b) the legislative branch;
269 (c) the judicial branch;
270 (d) the State Board of Education created in Section 20A-14-101.5;
271 (e) the Utah Board of Higher Education created in Section 53B-1-402;
272 (f) an institution of higher education as defined in Section 53B-1-102; and
273 (g) a political subdivision of the state:
274 (i) as defined in Section 17B-1-102; and
275 (ii) including a school district created under Section 53G-3-301 or 53G-3-302.
276 (4) (a) "Governmental website" means a website on the Internet that is operated by or
277 on behalf of a governmental entity.
278 (b) "Governmental website" includes a court website.
279 (5) "Governmental website operator" means a governmental entity or person acting on
280 behalf of the governmental entity that:
281 (a) operates a governmental website; and
282 (b) collects or maintains personally identifiable information from or about a user of
283 that website.
284 (6) "Personally identifiable information" means information that identifies:
285 (a) a user by:
286 (i) name;
287 (ii) account number;
288 (iii) physical address;
289 (iv) email address;
290 (v) telephone number;
291 (vi) Social Security number;
292 (vii) credit card information; or
293 (viii) bank account information;
294 (b) a user as having requested or obtained specific materials or services from a
295 governmental website;
296 (c) Internet sites visited by a user; or
297 (d) any of the contents of a user's data-storage device.
298 (7) "School" means a public or private elementary or secondary school.
299 [
300 Section 6. Section 63D-2-105 is amended to read:
301 63D-2-105. Use of authorized domain extensions for government websites.
302 (1) [
303 following suffixes that follows the domain name in a website address:
304 [
305 [
306 [
307 (2) Beginning [
308 level domain for:
309 (a) the website address for the governmental entity's government website; and
310 (b) the email addresses used by the governmental entity and the governmental entity's
311 employees.
312 (3) Notwithstanding Subsection (2), a governmental entity may operate a website that
313 uses a top level domain that is not an authorized top level domain if:
314 (a) (i) a reasonable person would not mistake the website as the governmental entity's
315 primary website; and
316 [
317 [
318 [
319 year; or
320 [
321 governmental entity in partnership with another person that is not a governmental entity[
322 (b) the governmental entity is a school district or a school that is not an institution of
323 higher education and the use of an authorized top level domain is otherwise prohibited,
324 provided that once the use of an authorized top level domain is not otherwise prohibited, the
325 school district or school shall transition to an authorized top level domain within 15 months.
326 (4) The chief information officer appointed under Section 63A-16-201 may authorize a
327 waiver of the requirement in Subsection (2) if:
328 (a) there are extraordinary circumstances under which use of an authorized domain
329 extension would cause demonstrable harm to citizens or businesses; and
330 (b) the executive director or chief executive of the governmental entity submits a
331 written request to the chief information officer that includes a justification for the waiver.
332 Section 7. Effective date.
333 This bill takes effect on May 1, 2024.