Utah has announced an amendment to its data breach laws, which now requires breached organizations to notify individuals involved and the Attorney General in some instances.
What happened
During Utah’s 2023 General Session, the committee passed a bill amending Utah’s data breach law. The new amendment requires companies to notify the Attorney General and the Utah Cyber Center of data breaches if the breach involves 500 or more state residents.
If the breach involves more than 1,000 state residents, the company must notify the Attorney General, the Utah Cyber Center, and consumer reporting agencies.
The new law will officially take effect on May 3, 2023. Its creation coincides with the codification of Utah’s Cyber Center, a new entity created to provide a “statewide strategic cybersecurity plan for executive branch agencies and other governmental organizations.”
Why it matters
Utah’s law will apply to anyone who has computerized data of personal information regarding Utah residents. The new requirement and the accompanying Cyber Center are designed to encourage the disclosure of data breaches and ensure that organizations feel supported when developing their cybersecurity plan.
Utah now joins states such as California, Colorado, Delaware, Florida, Illinois, Iowa, Rhode Island, and Washington, which all mandate notification to state authorities if at least 500 individuals are affected. Many other states also have notification requirements at various threshold levels.
Going deeper
While the law will go into effect in a little over a week, Utah has yet to release any specific guidance on the process for reporting breaches. They have indicated that breach notifications to the Utah Cyber Center should be emailed to cybercenter@utah.gov. They have also stated that notifications must be sent to the necessary offices in a timely manner. However, no specific timeline has been given as of writing.
The Utah Cyber Center is the successor to a similar effort launched in 2018. The new center will be heavily involved in cybersecurity planning for government agencies, with tasks such as “identify[ing], analz[ing], and, when appropriate mitigat[ing] cyber threats and vulnerabilities.” The entity will also be promoting best practices for cybersecurity.
Many of the tasks the Utah Cyber Center is undertaking are related to government agencies. Still, the center is also planning to share cyber threat intelligence with other public and private sector organizations.
Bottom line
Data breaches, whether in government entities or private ones, require immediate action from the entity involved to maintain HIPAA compliance.
As Utah continues to develop new cyber strategies and procedures, healthcare workers should closely monitor requirements for breach notifications. Of course, the best way to avoid this requirement is to ensure all of your organization’s communication remains highly secure and HIPAA compliant.
Related: HIPAA Compliant Email: The Definitive Guide.
Abby Grifno
