This document includes House Committee Amendments incorporated into the bill on Tue, Feb 13, 2024 at 11:30 AM by housengrossing.
Representative Jefferson S. Burton proposes the following substitute bill:


1     
ONLINE DATA SECURITY AND PRIVACY AMENDMENTS

2     
2024 GENERAL SESSION

3     
STATE OF UTAH

4     
Chief Sponsor: Wayne A. Harper

5     
House Sponsor: Jefferson S. Burton

6     

7     LONG TITLE
8     General Description:
9          This bill amends provisions related to cybersecurity, breach notification requirements,
10     and authorized domain name extensions.
11     Highlighted Provisions:
12          This bill:
13          ▸     defines terms;
14          ▸     makes technical and conforming changes;
15          ▸     describes a person's breach notification responsibilities to the Utah Cyber Center;
16     and
17          ▸     describes a governmental entity's reporting responsibilities to the Utah Cyber
18     Center.
19     Money Appropriated in this Bill:
20          None
21     Other Special Clauses:
22          None
23     Utah Code Sections Affected:
24     AMENDS:
25          13-44-202, as last amended by Laws of Utah 2023, Chapter 496

26          63D-2-102, as last amended by Laws of Utah 2023, Chapter 275
27          63D-2-105, as enacted by Laws of Utah 2023, Chapter 496
28     ENACTS:
29          63A-16-1101, Utah Code Annotated 1953
30     RENUMBERS AND AMENDS:
31          63A-16-1102, (Renumbered from 63A-16-510, as enacted by Laws of Utah 2023,
32     Chapter 496)
33          63A-16-1103, (Renumbered from 63A-16-511, as enacted by Laws of Utah 2023,
34     Chapter 496)
35     

36     Be it enacted by the Legislature of the state of Utah:
37          Section 1. Section 13-44-202 is amended to read:
38          13-44-202. Personal information -- Disclosure of system security breach.
39          (1) (a) A person who owns or licenses computerized data that includes personal
40     information concerning a Utah resident shall, when the person becomes aware of a breach of
41     system security, conduct in good faith a reasonable and prompt investigation to determine the
42     likelihood that personal information has been or will be misused for identity theft or fraud
43     purposes.
44          (b) If an investigation under Subsection (1)(a) reveals that the misuse of personal
45     information for identity theft or fraud purposes has occurred, or is reasonably likely to occur,
46     the person shall provide notification to each affected Utah resident.
47          (c) If an investigation under Subsection (1)(a) reveals that the misuse of personal
48     information relating to 500 or more Utah residents, for identity theft or fraud purposes, has
49     occurred or is reasonably likely to occur, the person shall, in addition to the notification
50     required in Subsection (1)(b), provide notification to:
51          (i) the Office of the Attorney General; and
52          (ii) the Utah Cyber Center created in Section [63A-16-510] 63A-16-1102.
53          (d) If an investigation under Subsection (1)(a) reveals that the misuse of personal
54     information relating to 1,000 or more Utah residents, for identity theft or fraud purposes, has
55     occurred or is reasonably likely to occur, the person shall, in addition to the notification
56     required in Subsections (1)(b) and (c), provide notification to each consumer reporting agency

57     that compiles and maintains files on consumers on a nationwide basis, as defined in 15 U.S.C.
58     Sec. 1681a.
59          (2) A person required to provide notification under Subsection (1) shall provide the
60     notification in the most expedient time possible without unreasonable delay:
61          (a) considering legitimate investigative needs of law enforcement, as provided in
62     Subsection (4)(a);
63          (b) after determining the scope of the breach of system security; and
64          (c) after restoring the reasonable integrity of the system.
65          (3) (a) A person who maintains computerized data that includes personal information
66     that the person does not own or license shall notify and cooperate with the owner or licensee of
67     the information of any breach of system security immediately following the person's discovery
68     of the breach if misuse of the personal information occurs or is reasonably likely to occur.
69          (b) Cooperation under Subsection (3)(a) includes sharing information relevant to the
70     breach with the owner or licensee of the information.
71          (4) (a) Notwithstanding Subsection (2), a person may delay providing notification
72     under Subsection (1)(b) at the request of a law enforcement agency that determines that
73     notification may impede a criminal investigation.
74          (b) A person who delays providing notification under Subsection (4)(a) shall provide
75     notification in good faith without unreasonable delay in the most expedient time possible after
76     the law enforcement agency informs the person that notification will no longer impede the
77     criminal investigation.
78          (5) (a) A notification required by Subsection (1)(b) may be provided:
79          (i) in writing by first-class mail to the most recent address the person has for the
80     resident;
81          (ii) electronically, if the person's primary method of communication with the resident is
82     by electronic means, or if provided in accordance with the consumer disclosure provisions of
83     15 U.S.C. Section 7001;
84          (iii) by telephone, including through the use of automatic dialing technology not
85     prohibited by other law; or
86          (iv) for residents of the state for whom notification in a manner described in
87     Subsections (5)(a)(i) through (iii) is not feasible, by publishing notice of the breach of system

88     security:
89          (A) in a newspaper of general circulation; and
90          (B) as required in Section 45-1-101.
91          (b) If a person maintains the person's own notification procedures as part of an
92     information security policy for the treatment of personal information the person is considered
93     to be in compliance with the notification requirement in Subsection (1)(b) if the procedures are
94     otherwise consistent with this chapter's timing requirements and the person notifies each
95     affected Utah resident in accordance with the person's information security policy in the event
96     of a breach.
97          (c) A person who is regulated by state or federal law and maintains procedures for a
98     breach of system security under applicable law established by the primary state or federal
99     regulator is considered to be in compliance with this part if the person notifies each affected
100     Utah resident in accordance with the other applicable law in the event of a breach.
101          (6) (a) [If a person providing a notification under Subsection (1)(c) to the Office of the
102     Attorney General or the Utah Cyber Center submits the information required under Subsection
103     63G-2-309(1)(a)(i), records submitted to the Office of the Attorney General or the Utah Cyber
104     Center under Subsection (1)(c) and information produced by the Office of the Attorney General
105     or the Utah Cyber Center for any coordination or assistance provided to the person are
106     presumed to be confidential and are a protected record under Subsections 63G-2-305(1) and
107     (2).] The following information may be deemed confidential and classified as a protected
108     record under Subsections 63G-2-305(1) and (2) if the requirements of Subsection
109     63G-2-309(1)(a)(i) are met:
110          (i) a notification submitted under Subsection (1)(c), including supporting information
111     provided under Subsection (6)(b); and
112          (ii) information produced by the Office of the Attorney General or the Utah Cyber
113     Center in providing coordination or assistance to person providing notification under
114     Subsection (1)(c).
115          (b) A person providing notification under Subsection (1)(c) to the Office of the
116     Attorney General or the Utah Cyber Center of a breach of system security shall include the
117     following information in the notification, to the extent the information is known or available at
118     the time the person provides the notification:

119          (i) the date the breach of system security occurred;
120          (ii) the date the breach of system security was discovered;
121          (iii) the total number of people affected by the breach of system security, including the
122     total number of Utah residents affected;
123          (iv) the type of personal information involved in the breach of system security; and
124          (v) a short description of the breach of system security that occurred.
125          [(b) The department may disclose information provided by a person under Subsection
126     (1)(c) or produced as described in Subsection (6)(a) only if:]
127          [(i) disclosure is necessary to prevent imminent and substantial harm; or]
128          [(ii) the information is anonymized or aggregated in a manner that makes it unlikely
129     that information that is a trade secret, as defined in Section 13-24-2, will be disclosed.]
130          (7) A waiver of this section is contrary to public policy and is void and unenforceable.
131          Section 2. Section 63A-16-1101 is enacted to read:
132     
Part 11. Utah Cyber Center

133          63A-16-1101. Definitions.
134          As used in this part:
135          (1) "Cyber Center" means the Utah Cyber Center created in Section 63A-16-1102.
136          (2) "Data breach" means the unauthorized access, acquisition, disclosure, loss of
137     access, or destruction of:
138          (a) personal data affecting 500 or more individuals; or
139          (b) data that compromises the security, confidentiality, availability, or integrity of the
140     computer systems used or information maintained by the governmental entity.
141          (3) "Governmental entity" means the same as that term is defined in Section
142     63G-2-103.
143          (4) "Personal data" means information that is linked or can be reasonably linked to an
144     identified individual or an identifiable individual.
145          Section 3. Section 63A-16-1102, which is renumbered from Section 63A-16-510 is
146     renumbered and amended to read:
147          [63A-16-510].      63A-16-1102. Utah Cyber Center -- Creation -- Duties.
148          [(1) As used in this section:]
149          [(a) "Governmental entity" means the same as that term is defined in Section

150     63G-2-103.]
151          [(b) "Utah Cyber Center" means the Utah Cyber Center created in this section.]
152          [(2)] (1) (a) There is created within the division the Utah Cyber Center.
153          (b) The chief information security officer appointed under Section 63A-16-210 shall
154     serve as the director of the [Utah] Cyber Center.
155          [(3)] (2) The division shall operate the [Utah] Cyber Center in partnership with the
156     following entities within the Department of Public Safety created in Section 53-1-103:
157          (a) the Statewide Information and Analysis Center;
158          (b) the State Bureau of Investigation created in Section 53-10-301; and
159          (c) the Division of Emergency Management created in Section 53-2a-103.
160          [(4)] (3) In addition to the entities described in Subsection (3), the [Utah] Cyber Center
161     shall collaborate with:
162          (a) the Cybersecurity Commission created in Section 63C-27-201;
163          (b) the Office of the Attorney General;
164          (c) the Utah Education and Telehealth Network created in Section 53B-17-105;
165          (d) appropriate federal partners, including the Federal Bureau of Investigation and the
166     Cybersecurity and Infrastructure Security Agency;
167          (e) appropriate information sharing and analysis centers;
168          (f) [associations representing political subdivisions in the state, including the Utah
169     League of Cities and Towns and the Utah Association of Counties] information technology
170     directors, cybersecurity professionals, or equivalent individuals representing political
171     subdivisions in the state; and
172          (g) any other person the division believes is necessary to carry out the duties described
173     in Subsection [(5)] (4).
174          [(5)] (4) The [Utah] Cyber Center shall, within legislative appropriations:
175          (a) by June 30, 2024, develop a statewide strategic cybersecurity plan for [executive
176     branch agencies and other] governmental entities;
177          (b) with respect to executive branch agencies:
178          (i) identify, analyze, and, when appropriate, mitigate cyber threats and vulnerabilities;
179          (ii) coordinate cybersecurity resilience planning;
180          (iii) provide cybersecurity incident response capabilities; and

181          (iv) recommend to the division standards, policies, or procedures to increase the cyber
182     resilience of executive branch agencies individually or collectively;
183          (c) at the request of a governmental entity, coordinate cybersecurity incident response
184     for [an incident] a data breach affecting the governmental entity in accordance with Section
185     [63A-16-511] 63A-16-1103;
186          (d) promote cybersecurity best practices;
187          (e) share cyber threat intelligence with governmental entities and, through the
188     Statewide Information and Analysis Center, with other public and private sector organizations;
189          (f) serve as the state cybersecurity incident response [hotline] repository to receive
190     reports of breaches of system security, including notification or disclosure under Section
191     13-44-202 [or 63A-16-511] and data breaches under Section 63A-16-1103;
192          (g) develop incident response plans to coordinate federal, state, local, and private
193     sector activities and manage the risks associated with an attack or malfunction of critical
194     information technology systems within the state;
195          (h) coordinate, develop, and share best practices for cybersecurity resilience in the
196     state;
197          (i) identify sources of funding to make cybersecurity improvements throughout the
198     state;
199          (j) develop a sharing platform to provide resources based on information,
200     recommendations, and best practices; and
201          (k) partner with institutions of higher education and other public and private sector
202     organizations to increase the state's cyber resilience.
203          Section 4. Section 63A-16-1103, which is renumbered from Section 63A-16-511 is
204     renumbered and amended to read:
205          [63A-16-511].      63A-16-1103. Reporting to the Cyber Center -- Assistance to
206     governmental entities -- Records.
207          [(1) As used in this section:]
208          [(a) "Governmental entity" means the same as that term is defined in Section
209     63G-2-103.]
210          [(b) "Utah Cyber Center" means the Utah Cyber Center created in Section
211     63A-16-510.]

212          [(2)] (1) (a) A governmental entity shall [contact] notify the [Utah] Cyber Center as
213     soon as practicable when the governmental entity becomes aware of a data breach [of system
214     security].
215          (b) When a governmental entity notifies the Cyber Center of a data breach under
216     Subsection (1)(a), the governmental entity shall include the following information:
217          (i) the date Ĥ→ and time ←Ĥ the data breach occurred;
218          (ii) the date Ĥ→ [
and time] ←Ĥ the data breach was discovered;
219          (iii) the total number of people affected by the data breach, including the total number
220     of Utah residents affected;
221          (iv) the type of personal data involved in the data breach;
222          (v) a short description of the data breach that occurred;
223          (vi) the path or means by which access was gained to the system, computer, or
224     network, if known;
225          (vii) the individual or entity who perpetrated the data breach, if known;
226          (viii) steps the governmental entity is taking or has taken to mitigate the impact of the
227     data breach; and
228          (ix) any other details requested by the Cyber Center.
229          [(3)] (2) The [Utah] Cyber Center shall provide the governmental entity with assistance
230     in responding to the data breach [of system security], which may include:
231          (a) conducting all or part of [the] an internal investigation [required under Subsection
232     13-44-202(1)(a)] into the data breach;
233          (b) assisting law enforcement with the law enforcement investigation if needed;
234          (c) determining the scope of the data breach [of system security];
235          (d) assisting the governmental entity in restoring the reasonable integrity of the system;
236     or
237          (e) providing any other assistance in response to the reported data breach [of system
238     security].
239          [(4) (a) A person providing information to the Utah Cyber Center may submit the
240     information required in Section 63G-2-309 to request that the information submitted by the
241     person and information produced by the Utah Cyber Center in the course of the Utah Cyber
242     Center's investigation be classified as a confidential protected record.]

243          [(b) Information submitted to the Utah Cyber Center under Subsection 13-44-202(1)(c)
244     regarding a breach of system security may include information regarding the type of breach, the
245     attack vector, attacker, indicators of compromise, and other details of the breach that are
246     requested by the Utah Cyber Center.]
247          [(c)] (3) (a) A governmental entity that is required to submit information under Section
248     [63A-16-511] 63A-16-1103 shall provide records to the [Utah] Cyber Center as a shared record
249     in accordance with Section 63G-2-206.
250          (b) The following information may be deemed confidential and may only be shared as
251     provided in Subsection 63G-2-206:
252          (i) the information provided to the Cyber Center by a governmental entity under
253     Subsections (1)(b)(vi) through (ix); and
254          (ii) information produced by the Cyber Center in response to a report of a data breach
255     under Subsection (2).
256          Section 5. Section 63D-2-102 is amended to read:
257          63D-2-102. Definitions.
258          As used in this chapter:
259          (1) (a) "Collect" means the gathering of personally identifiable information:
260          (i) from a user of a governmental website; or
261          (ii) about a user of the governmental website.
262          (b) "Collect" includes use of any identifying code linked to a user of a governmental
263     website.
264          (2) "Court website" means a website on the Internet that is operated by or on behalf of
265     any court created in Title 78A, Chapter 1, Judiciary.
266          (3) "Governmental entity" means:
267          (a) an executive branch agency as defined in Section 63A-16-102;
268          (b) the legislative branch;
269          (c) the judicial branch;
270          (d) the State Board of Education created in Section 20A-14-101.5;
271          (e) the Utah Board of Higher Education created in Section 53B-1-402;
272          (f) an institution of higher education as defined in Section 53B-1-102; and
273          (g) a political subdivision of the state:

274          (i) as defined in Section 17B-1-102; and
275          (ii) including a school district created under Section 53G-3-301 or 53G-3-302.
276          (4) (a) "Governmental website" means a website on the Internet that is operated by or
277     on behalf of a governmental entity.
278          (b) "Governmental website" includes a court website.
279          (5) "Governmental website operator" means a governmental entity or person acting on
280     behalf of the governmental entity that:
281          (a) operates a governmental website; and
282          (b) collects or maintains personally identifiable information from or about a user of
283     that website.
284          (6) "Personally identifiable information" means information that identifies:
285          (a) a user by:
286          (i) name;
287          (ii) account number;
288          (iii) physical address;
289          (iv) email address;
290          (v) telephone number;
291          (vi) Social Security number;
292          (vii) credit card information; or
293          (viii) bank account information;
294          (b) a user as having requested or obtained specific materials or services from a
295     governmental website;
296          (c) Internet sites visited by a user; or
297          (d) any of the contents of a user's data-storage device.
298          (7) "School" means a public or private elementary or secondary school.
299          [(7)] (8) "User" means a person who accesses a governmental website.
300          Section 6. Section 63D-2-105 is amended to read:
301          63D-2-105. Use of authorized domain extensions for government websites.
302          (1) [(a)] As used in this section, "authorized top level domain" means any of the
303     following suffixes that follows the domain name in a website address:
304          [(i)] (a) gov;

305          [(ii)] (b) edu; and
306          [(iii)] (c) mil.
307          (2) Beginning [January] July 1, 2025, a governmental entity shall use an authorized top
308     level domain for:
309          (a) the website address for the governmental entity's government website; and
310          (b) the email addresses used by the governmental entity and the governmental entity's
311     employees.
312          (3) Notwithstanding Subsection (2), a governmental entity may operate a website that
313     uses a top level domain that is not an authorized top level domain if:
314          (a) (i) a reasonable person would not mistake the website as the governmental entity's
315     primary website; and
316          [(b)] (ii) the governmental website is:
317          [(i)] (A) solely for internal use and not intended for use by members of the public;
318          [(ii)] (B) temporary and in use by the governmental entity for a period of less than one
319     year; or
320          [(iii)] (C) related to an event, program, or informational campaign operated by the
321     governmental entity in partnership with another person that is not a governmental entity[.]; or
322          (b) the governmental entity is a school district or a school that is not an institution of
323     higher education and the use of an authorized top level domain is otherwise prohibited,
324     provided that once the use of an authorized top level domain is not otherwise prohibited, the
325     school district or school shall transition to an authorized top level domain within 15 months.
326          (4) The chief information officer appointed under Section 63A-16-201 may authorize a
327     waiver of the requirement in Subsection (2) if:
328          (a) there are extraordinary circumstances under which use of an authorized domain
329     extension would cause demonstrable harm to citizens or businesses; and
330          (b) the executive director or chief executive of the governmental entity submits a
331     written request to the chief information officer that includes a justification for the waiver.
332          Section 7. Effective date.
333          This bill takes effect on May 1, 2024.