Section 63A-19-405 - Data breach notification to the Cyber Center and the Office of the Attorney General(1)(a) A governmental entity that identifies a data breach affecting 500 or more individuals shall notify the Cyber Center and the attorney general of the data breach.(b) In addition to the notification required by Subsection (1)(a), a governmental entity that identifies the unauthorized access, acquisition, disclosure, loss of access, or destruction of data that compromises the security, confidentiality, availability, or integrity of the computer systems used or information maintained by the governmental entity shall notify the Cyber Center.(2) The notification under Subsection (1) shall:(a) be made without unreasonable delay, but no later than five days from the discovery of the data breach; and(b) include the following information:(i) the date and time the data breach occurred;(ii) the date the data breach was discovered;(iii) a short description of the data breach that occurred;(iv) the means by which access was gained to the system, computer, or network;(v) the individual or entity who perpetrated the data breach;(vi) steps the governmental entity is or has taken to mitigate the impact of the data breach; and(vii) any other details requested by the Cyber Center.(3) For a data breach under Subsection (1)(a), the governmental entity shall provide the following information to the Cyber Center and the attorney general in addition to the information required under Subsection (2)(b):(a) the total number of people affected by the data breach, including the total number of Utah residents affected; and(b) the type of personal data involved in the data breach.(4) If the information required by Subsection (2)(b) is not available within five days of discovering the breach, the governmental entity shall provide as much of the information required under Subsection (2)(b) as is available and supplement the notification with additional information as soon as the information becomes available.(5)(a) A governmental entity that experiences a data breach affecting fewer than 500 individuals shall create an internal incident report containing the information in Subsection (2)(b) as soon as practicable and shall provide additional information as the information becomes available.(b) A governmental entity shall provide to the Cyber Center:(i) an internal incident report described in Subsection (5)(a) upon request of the Cyber Center; and(ii) an annual report logging all of the governmental entity's data breach incidents affecting fewer than 500 individuals.Added by Chapter 417, 2024 General Session ,§ 12, eff. 5/1/2024.