Utah Consumer Privacy Act
What you need to know to keep your company in compliance
Utah signed the Utah Consumer Privacy Act (UCPA) into law in March 2022, and it will go into effect December 31, 2023. The UCPA gives consumers the right to access, the right to delete, the right to data portability, and the right to opt out. Among all the privacy laws in the US, the UCPA has been hailed as one of the most business friendly. However, it’s still important to understand what’s required under the law and get in compliance. Here’s what every company needs to know.
Automate Utah requirements with the BreachRx platform
Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response
Who is Subject to the UCPA
The UCPA applies to any business that:
- Conducts business in Utah or offers a product or service targeted to Utah residents
- Has an annual revenue of $25 million or more
- Meets at least one of the following requirements:
- Controls or processes personal data of 100,000 or more consumers in a calendar year
- Derives more than 50% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers
The law does include exemptions for certain types of organizations (e.g. higher education institutions, non-profits, government entities), certain types of data (e.g. data covered under specific federal regulations and employment-related data), certain instances of selling data, and deidentified, publicly available, or aggregated data.
How the UCPA is Enforced
The Utah attorney general is responsible for enforcing the UCPA. The Utah Division of Consumer Protection fields complaints and investigates potential violations, which it can then refer to the attorney general. The attorney general must provide written notice to the organization and offer a 30 day cure period, after which the company must respond with a written statement about the resolution.
Penalties for Non-Compliance
If a violating company fails to fix an issue or continues to violate the UCPA after saying it fixed the issue, the attorney general can issue a fine of up to $7,500 per violation as well as actual damages to consumers. There is no private right to action and consumers can’t use a violation of the UCPA to support a claim under another Utah law.
The UCPA requires organizations to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data.”
What Incident Response is Required Under the UCPA
The UCPA’s incident response measures following a cybersecurity incident come from a pre-existing Utah law, which requires a notification in the case of a security breach.
|What is a security breach?||Any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.|
|What is personal information?|
A person’s first name or first initial and last name along with at least one of the following:
…unless the data is encrypted or unreadable in any way, included in government records, or available to the general public.
|Who should be notified following a breach?|
Affected Utah residents, unless a reasonable and prompt investigation reveals it is unlikely the personal information will be misused for identity theft or fraud.
If the organization doesn’t own the data, then they must also notify the company that does own the data.
|When should a notification be issued?||As expediently as possible without unreasonable delay once the company has identified the scope of the breach and restored the integrity of any affected systems.|
|How should a notification be issued?|
If none of those methods are possible, the company can publish a notice in a newspaper widely circulated in Utah.
|Are there any exceptions to issuing a notification?|
Types of Security Breaches That Might Require Notification Under the UCPA
Based on the existing security breach notification guidelines in Utah, a variety of incidents can trigger a security breach notification, such as:
Watering Hole Attack
A social engineering attack through which threat actors profile victims to determine websites they visit and then infect those websites to gain access to the victims’ computers or network.
An attack in which malicious actors use malware to steal data from an organization and hold it captive in exchange for money. Even if the data is returned, it was still exposed to a third party.
An attack in which a malicious program is hidden inside legitimate software which, once downloaded by users, creates an access point to view digital behavior and access information.
How Organizations Can Prepare to Comply with the UCPA
Given that UCPA requires organizations to maintain reasonable security practices to protect personal data and that the data breach notification requirements grant a reprieve to organizations with encrypted data, it pays to take a proactive approach. This should cover:
Understand the requirements in relevant regulations and contracts, develop response plans accordingly, assign responsibilities to key stakeholders, and conduct simulations to prepare team members.
Investigate what happened, how and when it happened, what systems were involved, and the potential impact. Remediate the issue, notify customers, agencies, and partners, and implement a safe haven for relevant team communications.
Monitor and report on incident response plans to identify areas for improvement and updates. Communicate changes to stakeholders to maintain alignment and keep them aware of their responsibilities.
Prioritizing Proactive Incident Response
The UCPA is just one of hundreds of comprehensive privacy laws around the world. These regulations along with an increasing number of cyber incidents make proactive protection and incident response a top priority. Doing so requires keeping aware of regulatory updates and changes, introducing response plans with clear responsibilities, testing those plans with tabletop exercises, and regularly revisiting efforts to ensure readiness.
Supercharge your incident response strategy with the BreachRx platform
Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.