- Utah Legislature passes comprehensive cybersecurity bill.
- New rules for breach investigations, notifications, and reporting.
- Utah Cyber Center to develop statewide cybersecurity plan.
The Utah Legislature has passed a comprehensive bill aimed at bolstering cybersecurity measures across the state. The bill amends the disclosure requirement for system security breaches, requires the Division of Technology Services to report on the consolidation of networks used by governmental entities, and creates the Utah Cyber Center with specific duties. Furthermore, the bill mandates governmental entities to report breaches of system security to the Utah Cyber Center and requires all governmental websites to use an authorized top-level domain by January 1, 2025.
Under the new legislation, organizations that own or license computerized data containing personal information about Utah residents must conduct a reasonable and prompt investigation when they become aware of a system security breach. The investigation should determine the likelihood that personal information has been or will be misused for identity theft or fraud purposes. If misuse has occurred or is likely to occur, the affected Utah residents must be notified.
In cases where the misuse of personal information affects 500 or more Utah residents, the organization must also notify the Office of the Attorney General and the newly established Utah Cyber Center. If the breach affects 1,000 or more residents, the organization must additionally notify consumer reporting agencies that compile and maintain files on consumers nationwide.
The bill also requires the Division of Technology Services to collaborate with the Cybersecurity Commission and identify opportunities, limitations, and barriers to enhancing the state’s overall cybersecurity resilience by consolidating certain information technology services and networks used by governmental entities. A report on this collaboration is due to the Government Operations Interim Committee, the Infrastructure and General Government Appropriations Subcommittee, and the Cybersecurity Commission by November 15, 2023.
The Utah Cyber Center will operate within the Division of Technology Services, with the chief information security officer appointed under Section 63A-16-210 serving as the director. The Cyber Center will be responsible for developing a statewide strategic cybersecurity plan for executive branch agencies and other governmental entities by June 30, 2024. Other duties include identifying and mitigating cyber threats and vulnerabilities, coordinating cybersecurity resilience planning, and providing cybersecurity incident response capabilities.
In the event of a breach, governmental entities must contact the Utah Cyber Center as soon as possible. The center will provide assistance in responding to the breach, which may include conducting investigations, assisting law enforcement, determining the scope of the breach, restoring system integrity, or providing other necessary assistance.
The new legislation is a significant step toward protecting Utah residents and governmental entities from cyber threats and enhancing the state’s overall cybersecurity resilience. By establishing a centralized Cyber Center and requiring prompt action in the event of a security breach, the state aims to proactively address cyber risks and safeguard sensitive information.
*Phish.News is a participant in the Amazon Services LLC Associates Program. We may earn a commission from qualifying purchases made through our affiliate links. Thank you for supporting us!