Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organizations are responsible for submitting any required regulatory reporting and consumer notifications.

If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Breach violations can result in penalties of $2,500 per consumer up to $100,000; over 10,000 Utah residents and over 10,000 consumers who are residents of other states, a greater penalty may be assessed. The attorney general may enforce the provisions of the Protection of Personal Information Act, including inspection of records. Costs associated with the inspection could be incurred, as well as fines of $500, or a higher amount if $500 is estimated to be insufficient. The attorney general can seek injunctive relief to prevent future violations. Organizations may be fined or penalized for Vendor violations.

Educational facilities must implement and maintain a data governance plan and are required to provide employee training on student privacy laws. There are sector-specific vendor contract requirements for educational entities. Educational facilities must provide notification to parents in the event of a breach.

Utah’s Genetic Information Privacy law governs the collection, use, disclosure and consent of resident’s genetic data, and mandates that companies implement a comprehensive security program. In addition, genetic testing companies (GTC) are required to publish a privacy notice detailing the collection, consent, use, access, disclosure, transfer, security and retention/deletion practices of their data. GTCs must provide a process for the access or deletion/destruction of genetic data or biological samples. GTC may not disclose a direct resident consumer’s genetic data to an employer, nor any entity that offers health, life or long-term care insurance, without their express written consent.

Organizations can defend against civil liability from certain causes of actions arising out of a data breach by having a written cybersecurity program that conforms with an industry recognized framework. Organizations and Vendors who are businesses operating in Utah must have measures in place for the destruction of records containing personal information, so the records are unreadable or undecipherable. Organizations and Vendors who are businesses operating in Utah must protect personal information from unlawful use or disclosure.

Vendors must cooperate with Organizations and provide any relevant information regarding a breach incident.