Ask Reggi Your Question Now
Can you summarize UTCO Title 13, Chapter 44?
Commerce and Trade > Protection of Personal Information Act
Short Summary
The Protection of Personal Information Act, part of the Utah Code, governs the security and confidentiality of personal information. It requires persons who own or license computerized data containing personal information of Utah residents to conduct a reasonable and prompt investigation when they become aware of a breach of system security. If the investigation reveals that personal information has been or is likely to be misused for identity theft or fraud, the person must provide notification to each affected Utah resident. Additional notification is required if the breach affects 500 or more Utah residents, including notification to the Office of the Attorney General and the Utah Cyber Center. If the breach affects 1,000 or more Utah residents, notification to consumer reporting agencies is also required. The document outlines the timing requirements for providing notification, cooperation between data owners and maintainers, and the ability to delay notification at the request of law enforcement. Various methods of notification are allowed, including written, electronic, telephone, and publishing notice in a newspaper. The Act also requires any person who conducts business in the state and maintains personal information to implement and maintain reasonable procedures to prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business. They must also arrange for the destruction of records containing personal information that are not to be retained by the person, using methods such as shredding, erasing, or modifying the personal information to make it indecipherable. The Act defines ‘breach of system security’ as the unauthorized acquisition of computerized data compromising the security, confidentiality, or integrity of personal information. However, it excludes the acquisition of personal information by an employee or agent of the person possessing unencrypted computerized data, unless used for an unlawful purpose or disclosed in an unauthorized manner. The Act defines ‘consumer’ as a natural person and ‘financial institution’ as per the definition in 15 U.S.C. Sec. 6809. ‘Personal information’ includes a person’s first name or initial and last name, combined with certain data elements such as Social Security number, financial account number, credit or debit card number, and driver license number or state identification card number. However, it excludes information contained in government records or widely distributed media available to the general public. The Act clarifies that ‘record’ includes materials maintained in any form, including paper and electronic.
Whom does it apply to?
Persons who own or license computerized data containing personal information of Utah residents, financial institutions, and affiliates of financial institutions
What does it govern?
Protection of Personal Information Act
What are exemptions?
Financial institutions and affiliates of financial institutions
What are the Penalties?
The penalties for non-compliance or violation of the provisions are not specified in this document.
Jurisdiction
Utah