Utah Data Breach Notification Laws: Reporting Rules & Timelines (2026)
Utah's data breach notification law is codified as the Protection of Personal Information Act, Utah Code 13-44-101 et seq., and has been in effect since 2006. The law received a significant update in 2024 through Senate Bill 98, effective May 1, 2024, which added new requirements for notifying the Attorney General and the Utah Cyber Center.
Utah's approach to breach notification is distinctive in several ways. The law requires entities to investigate first and notify only if identity theft or fraud is reasonably likely. The timeline uses a "without unreasonable delay" standard rather than a fixed-day deadline. And the penalty structure caps damages at modest levels compared to many other states.
This guide covers the full scope of Utah's breach notification requirements, including how they connect to the broader [Utah data privacy laws](/us-laws/data-privacy-laws/utah-data-privacy-laws) framework, which also includes the Utah Consumer Privacy Act (UCPA).
Who Must Comply
Utah's law applies to any person who owns or licenses computerized data that includes personal information concerning a Utah resident. The term "person" includes businesses, corporations, partnerships, and other entities. Businesses located outside Utah are subject to the law if they hold data belonging to Utah residents.
Third-Party Data Holders
When a third party maintains data on behalf of another entity, the third party must notify the data owner or licensee of the breach. The data owner then bears the responsibility for investigating and notifying affected residents.
Own Security Policy Exception
An entity that maintains its own notification procedures as part of an information security policy is deemed in compliance with the notification requirements, as long as those procedures are consistent with the timing requirements of the statute.
The Investigation Requirement
Utah stands out from many states by requiring entities to conduct a good faith investigation before triggering notification obligations.
Under Section 13-44-202, when an entity becomes aware of a breach of system security, it must conduct a good faith, reasonable, and prompt investigation to determine the likelihood that personal information has been or will be misused for identity theft or fraud.
Notification is required only if the investigation reveals that misuse of personal information for identity theft or fraud has occurred or is reasonably likely. This risk-based approach means not every breach automatically requires notification. If an entity determines through its investigation that misuse is unlikely, it may not be required to notify.
What Constitutes a Breach
Under Section 13-44-102, a "breach of system security" means an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.
The definition focuses on acquisition, not just access. Unauthorized access without actual acquisition of the data may not trigger the investigation obligation.
Encryption Safe Harbor
If personal information was encrypted or protected by another method that renders the data unreadable or unusable, the breach notification requirements do not apply. Utah does not specify a particular encryption standard (unlike some states that require FIPS 140-2 or 128-bit encryption).
Personal Information That Triggers the Law
Under Section 13-44-102, personal information means a person's first name or first initial and last name, combined with any one or more of the following data elements, when either the name or data element is unencrypted or not protected by another method that renders the data unreadable or unusable:
- Social Security number
- Financial account number, or credit or debit card number, combined with any required security code, access code, or password that would permit access to the account
- Driver's license number or state identification card number
What Utah's Law Does Not Cover
Utah's definition is relatively narrow. It does not include:
- Medical or health information
- Health insurance identification numbers
- Biometric data
- Email credentials (usernames with passwords)
- Passport numbers
- Taxpayer identification numbers (other than SSNs)
Personal information does not include information contained in federal, state, or local government records or in widely distributed media that are lawfully made available to the general public.
Notification Timeline
Utah requires notification in the most expedient time possible without unreasonable delay, considering:
- Legitimate investigative needs of law enforcement
- The time needed to determine the scope of the breach
- The time needed to restore the reasonable integrity of the system
There is no fixed-day deadline. This gives entities some flexibility but also means compliance depends on what is "reasonable" under the circumstances.
Law Enforcement Delay
Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. Notification must proceed once law enforcement indicates it will no longer compromise the investigation.
Who Must Be Notified
Affected Individuals
Every Utah resident whose personal information was, or is reasonably believed to have been, misused or reasonably likely to be misused for identity theft or fraud must receive notification.
Attorney General and Utah Cyber Center (500+ Threshold)
Under the 2024 amendments added by SB 98, when a breach affects 500 or more Utah residents, the entity must also notify:
The notification must include: the date the breach occurred, the date it was discovered, the total number of people affected (including the number of Utah residents), the type of personal information involved, and a short description of the breach.
Documents submitted to the AG or Cyber Center may be classified as protected records under certain circumstances, providing confidentiality protections during the investigation.
No Consumer Reporting Agency Requirement
Unlike many states, Utah's breach notification statute does not specifically require notification to consumer reporting agencies. However, entities subject to federal laws like the Fair Credit Reporting Act may still have separate CRA notification obligations.
Methods of Notification
Utah permits several notification methods:
- Written notice sent by first-class mail
- Electronic notice, if the entity's primary method of communication with the resident is electronic
- Telephone notice, including through the use of automatic dialing technology
Substitute Notice
Utah also provides for notice by publishing in a newspaper of general circulation. This is available when other methods of notification are impractical.
Penalties and Enforcement
Civil Penalties
Under Section 13-44-301, a person who violates the statute is subject to:
- Up to $2,500 per consumer for a violation or series of violations concerning a specific consumer
- Up to $100,000 in the aggregate for related violations concerning more than one consumer
The $100,000 cap can be exceeded if the violations concern 10,000 or more consumers who are Utah residents and 10,000 or more consumers who are residents of other states, or if the person agrees to settle for a greater amount.
Attorney General Enforcement
Only the Attorney General can enforce the statute. The AG may seek:
- Civil penalties as outlined above
- Injunctive relief to prevent future violations
- Attorney's fees and costs
No Private Right of Action
Utah's breach notification law does not create a private right of action. Individuals cannot sue under this statute. They may pursue claims under other legal theories such as negligence, but not under the Protection of Personal Information Act itself.
Connection to the Utah Consumer Privacy Act
The Utah Consumer Privacy Act (UCPA), effective December 31, 2023, is a separate comprehensive privacy law that governs how businesses collect and use personal data. UCPA does not replace or modify the breach notification requirements of Chapter 44. The two laws operate independently:
- Chapter 44 governs what happens when personal information is compromised in a breach
- UCPA governs the collection, use, and sharing of personal data in the ordinary course of business
Businesses that handle Utah consumer data should ensure compliance with both statutes.
More Utah Laws
- Utah Recording Laws
- Utah Recording Laws
- Utah Recording Laws
- Utah Recording Laws
- Utah Data Privacy Laws
- Utah Recording Laws
- Utah Recording Laws
- Utah Recording Laws
Sources and References
This article draws from the following official Utah government sources:
- Utah Code 13-44-202 (Disclosure of System Security Breach) - Core breach notification requirements
- Utah Code 13-44-102 (Definitions) - Personal information and breach definitions
- Utah Code 13-44-301 (Enforcement) - Penalty provisions and AG authority
- Senate Bill 98 (2024) - AG and Cyber Center notification amendments
- Utah Cyber Center: Report a Breach - Online breach reporting portal
This article provides general legal information about Utah data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Utah for guidance specific to your situation.
Sources and References
- Utah Code 13-44-202 - Disclosure of System Security Breach(le.utah.gov).gov
- Utah Code 13-44-301 - Enforcement(le.utah.gov).gov
- Senate Bill 98 (2024) - Online Data Security and Privacy Amendments(le.utah.gov).gov
- Utah Cyber Center - Report a Breach(cybercenter.utah.gov).gov
- Utah Code 13-44-102 - Definitions(law.justia.com)