2nd Sub. (Salmon) S.B. 98 01-23-24 11:13 AM
88 security:
89 (A) in a newspaper of general circulation; and
90 (B) as required in Section 45-1-101.
91 (b) If a person maintains the person's own notification procedures as part of an
92 information security policy for the treatment of personal information the person is considered
93 to be in compliance with the notification requirement in Subsection (1)(b) if the procedures are
94 otherwise consistent with this chapter's timing requirements and the person notifies each
95 affected Utah resident in accordance with the person's information security policy in the event
96 of a breach.
97 (c) A person who is regulated by state or federal law and maintains procedures for a
98 breach of system security under applicable law established by the primary state or federal
99 regulator is considered to be in compliance with this part if the person notifies each affected
100 Utah resident in accordance with the other applicable law in the event of a breach.
101 Öº [(6) (a) If a person providing a notification under Subsection (1)(c) to the Office of the
102 Attorney General or the Utah Cyber Center submits the information required under Subsection
103 63G-2-309(1)(a)(i), records submitted to the Office of the Attorney General or the Utah Cyber
104 Center under Subsection (1)(c), including the information required under Subsection (6)(b),
105 and information produced by the Office of the Attorney General or the Utah Cyber Center for
106 any coordination or assistance provided to the person are presumed to be confidential and are a
107 protected record under Subsections 63G-2-305(1) and (2).]
107a (6)(a) The following information may be deemed confidential and classified as a
107b protected record under Subsections 63G-2-305(1) and (2), if the confidentiality requirements of
107c Subsection 63G-2-309(1)(a)(i) are met:
107d (i) a notification submitted under Subsection (1)(c), including supporting information
107e provided under Subsection (6)(b); and
107f (ii) information produced by the Office of the Attorney General or the Utah Cyber
107g Center in providing coordination or assistance to person providing notification under
107h Subsection (1)(c). »Ö
108 (b) A person providing notification under Subsection (1)(c) to the Office of the
109 Attorney General or the Utah Cyber Center of a breach of system security shall include the
110 following information in the notification Öº , to the extent the information is known or available
110a at the time the person provides the notification »Ö :
111 (i) the date the breach of system security occurred;
112 (ii) the date the breach of system security was discovered;
113 (iii) the total number of people affected by the breach of system security, including the
-4- Senate 2nd Reading Amendments 1-31-2024 lp/se1

Statutes affected:
Introduced: 13-44-202, 63D-2-102, 63D-2-105
Amended: 13-44-202, 63D-2-102, 63D-2-105
Enrolled: 13-44-202, 63D-2-102, 63D-2-105
S.B. 98 1st Substitute (Not Adopted) Text: 13-44-202, 63D-2-102, 63D-2-105
S.B. 98 2nd Substitute : 13-44-202, 63D-2-102, 63D-2-105
S.B. 98 3rd Substitute (Not Adopted) Text: 13-44-202, 63D-2-102, 63D-2-105