Need to Report a Breach?
Non-government persons and entities:
The Protection of Personal Information Act, found at Utah Code 13-44-101, et seq., requires any non-government entity which conducts business in the State of Utah to prevent the unlawful use or disclosure of personal information collected by the organization.
If an organization that owns or maintains personal information of a Utah resident becomes aware of a breach of system security, that company must conduct an investigation to determine if the personal information has been or will be misused. If the investigation indicates that the misuse has occurred or is likely to occur, the organization must notify every affected Utah resident.
If the misuse relates to 500 or more Utah residents, the organization must also provide notification to the Utah Attorney General's Office and the Utah Cyber Center. An organization which completes this form automatically provides notification to these two entities.
Data Use Disclosure
Non-government entities: The information on this form is being collected pursuant to the disclosure and reporting requirements of the Utah Protection of Personal Information Act (UPPIA), in particular Utah Code §13-44-202. It will be used for the purposes set forth in the UPPIA, potentially including enforcement pursuant to Utah Code §13-44-30. All information provided on this form is presumptively classified as “public” in accordance with the Utah Government Records Access and Management Act (GRAMA), Utah Code Section §63G-2-301. Confidential information should not be included on this form. If such information needs to be submitted, please indicate that such additional information is available and identify the person who should be contacted regarding such information. Confidential information should only be provided in accordance with the provisions of the UPPIA that provide protection for such information, including Utah Code§13-44-202(6) and/or §13-44-301(7).
Utah Government Entities:
As outlined in Utah Code 63A-19-405 and 63A-16-1103, if your organization is a Utah government entity and after identifying a data breach affecting 500 or more individuals or as noted in 63A-19-405(1)(b). Your organization will need to make notification to the Utah Attorney General's Office and to the Utah Cyber Center without unreasonable delay, but no later than five days from discovery. Completion and submission of the form below automatically provides this notification to these two entities.
Data Use Disclosure
Utah government entities: The information on this form is being collected pursuant to the disclosure and reporting requirements of the Government Data Privacy Act, in particular Utah Code §63A-19-406. It will be used for the purposes set forth in the GDPA and as outlined in Utah Code §63A-16-1103, potentially including enforcement pursuant to Utah Code §63A-19-601 and for assistance with data breaches by the Utah Cyber Center as outlined in Utah Code §63A-16-1103. All information provided on this form may be deemed confidential as outlined in Utah Code §63A-16-1103 and may only be shared as provided in Utah Code §63G-2-206.
Additional Reporting Requirements
Depending on the type of data involved in the breach, you may be subject to additional reporting requirements. Please use the links below to find out more information about the different types of data.
•
Personal Health Information
(HIPAA)
•
Federal Tax Information
(FTI)
•
Criminal Justice Information
(CJIS)
•
Payment Card Information
(PCI-DSS)
