Can I skip having an information security program in place in Utah? What are the requirements?

Based on the information provided in the context documents, it is not possible to skip having an information security program in place in Utah. Each licensee is required to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information ^[1.1]. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities ^[1.1].

The objectives of the information security program are to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer ^[1.2].

It is important to note that the requirement to have an information security program in place applies to licensees in Utah. Other employers, including political subdivisions and educational institutions, are eligible but not required to participate in the program on behalf of their employees ^[3.1].

To verify information, requestors must submit the subject’s name as it appears on the Utah Driver License or Identification card, the subject’s Utah Driver License or Identification card number, and the subject’s date of birth. Upon submittal of an electronic request for verification, ValIDate will search the Utah Driver License Division Database and furnish a “YES” or “NO” response. A “YES” response verifies the name, Utah Driver License or Identification card number, and date of birth, matches the information in the Utah Driver License Division Database. A “NO” response indicates one or more data fields submitted does not match the information in the Utah Driver License Division Database ^[4.1].

To apply for access to the ValIDate system, the requestor must meet the qualifications stated in Subsection 53-3-109(1)(b)(iii), submit a “User Agreement for the ValIDate System” to the Division, and submit documentation to the division that establishes the requestor is a depository institution as defined in Section 7-1-103. Upon receipt of the required form and documentation, the division shall review the materials to determine if the requestor is eligible to access the ValIDate system and may request additional information to determine if the requestor is eligible to access the ValIDate system. If the division determines the requestor has met the requirements to access the ValIDate system, the division shall notify Utah Interactive, Inc. that the requestor is authorized to access ValIDate. If the division determines the applicant does not meet the requirements to access the ValIDate system, the division shall issue a denial letter to the requestor stating the reasons for the denial, and the requestor may seek agency review as provided by Section 63G-4-301 by filing a written request for review within 30 calendar days after the issuance of the letter ^[4.2].

This response is based on the information available in the context documents.

Source(s):

• [1.1] Information Security Program.
• [1.2] Objectives of Information Security Program.
• [3.1] Program participation – Eligibility – Optional for certain groups. (Effective 5/4/2022)
• [4.1] Procedures for Verification of Information.
• [4.2] Application for Access to the ValIDate System.

Jurisdiction

Utah

• Privacy