Analysis and practice notes on Utah’s Database Breach Law:
Consumer Protection Act Sections 13-44-101, 102, 201, 202, 301.
This law only applies to computerized data containing personal identifying information on Utah residents. If someone looses, for whatever reason, paper data or some form of data that is not computerized, then the law does not apply and no notice has to be given. Moreover, if the data belongs to persons who live in another state, no notice is required.
Query: If data on a computer is printed out on paper is it computerized data? The answer is most likely no and therefore no notice has to be given.
Definition of Personal information is limited to a person’s name coupled with Social Security Number, account number, credit or debit card number, security code or access code to the persons account, driver’s license number, or identification number. There is no provision for other personal data or a catch all for data that could otherwise be used to commit identity theft. Therefore, personal information that is not enumerated is not subject to notification.
Note: The definitions section states that personal information is limited to unencrypted personal information or information that is not protected by another method that renders the data unreadable or unusable. There is no standard for what is rendered unusable. Presumably if the data is protected by spelling it backwards, a readily breakable security measure, it is unreadable and therefore not subject to the disclosure requirements. Therefore, if you have a breach of data that is computerized but subject to some form of encryption, no matter how simple, no notice is required.
Also contained in the definitional section is the escape clause that states that if the personal information is contained in any governmental or private database that is lawfully made available to the public, it is not required that the breach of even an unrelated database is subject to the notice requirements.
If there is a data base breech of computerized data that is not encrypted, is notice required? Not yet. First, the entity that has suffered the breech “shall” conduct a “reasonable and prompt” investigation to determine the likely hood that the personal information has been or will be misused for identity theft or fraud purposes. If the investigation determines that the data is to be used by an angry former husband to track down his ex wife and do her in, there is no requirement for notice. If the investigation determines that there is not a reasonable likely hood of identity theft or fraud, notice is not required. If the entity determines that identity theft or fraud has occurred or there is a reasonable likelihood that the data is to be used for identity theft or fraud, then notice is required to be given (in the most expedient time possible without unreasonable delay).
Example: Computerized data containing unencrypted personal information, not otherwise available in a public record, is contained in a laptop. The laptop is stolen in a burglary with other items. Was the laptop stolen for its intrinsic value or was it stolen because the thief thought he would use the information for identity theft or fraud purposes. A reasonable investigation could easily arrive at the conclusion that the laptop was stolen for its value and not the information contained therein. Therefore no notice would be required.
Provided a data base breech requires notification, what form of notice is required? Notice can be in person by talking to the potential victims, by telephone, by e-mail or by putting and ad in a newspaper of general circulation.
Finally, if a person maintains his or her own notification procedure as part of “an information security policy” and provides notice consistent with the Utah law, i.e. “in the most expedient time possible without unreasonable delay.” He or she is considered in compliance with the Utah law. Likewise anyone who is regulated by another security breech law and who gives Utah residents notice under that law or policy is not subject to the Utah Law.