Section 63A-19-406 - Data breach notice to individuals affected by data breach(1) A governmental entity shall provide a data breach notice to an individual or legal guardian of an individual affected by the data breach:(a) after determining the scope of the data breach;(b) after restoring the reasonable integrity of the affected system, if necessary; and(c) without unreasonable delay except as provided in Subsection (1)(b).(2) A governmental entity shall delay providing notification under Subsection (1) at the request of a law enforcement agency that determines that notification may impede a criminal investigation, until such time as the law enforcement agency informs the governmental entity that notification will no longer impede the criminal investigation.(3) The data breach notice to an affected individual shall include:(a) a description of the data breach;(b) the individual's personal data that was accessed or may have been accessed;(c) steps the governmental entity is taking or has taken to mitigate the impact of the data breach;(d) recommendations to the individual on how to protect themselves from identity theft and other financial losses; and(e) any other language required by the Cyber Center.(4) Unless the governmental entity reasonably believes that providing notification would pose a threat to the safety of an individual, or unless an individual has designated to the governmental entity a preferred method of communication, a governmental entity shall provide notice by:(a)(i) email, if reasonably available and allowed by law; or(b) one of the following methods, if the individual's contact information is reasonably available and the method is allowed by law:(i) text message with a summary of the data breach notice and instructions for accessing the full notice; or(ii) telephone message with a summary of the data breach notice and instructions for accessing the full data breach notice.(5) A governmental entity shall also provide a data breach notice in a manner that is reasonably calculated to have the best chance of being received by the affected individual or the legal guardian of an individual, such as through a press release, posting on appropriate social media accounts, or publishing notice in a newspaper of general circulation when:(a) a data breach affects more than 500 individuals; and(b) a governmental entity is unable to obtain an individual's contact information to provide notice for any method listed in Subsection (4).Added by Chapter 417, 2024 General Session ,§ 13, eff. 5/1/2024.