M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.

Utah Data Breach Laws: Legal Requirements for Businesses

Utah's Protection of Personal Information Act requires businesses to notify their customers about a breach involving unencrypted consumer data. Notification can be in the form of a phone, email, letter, or newspaper announcement. In addition, Utah authorities can fine businesses up to $100,000 per breach ($2,500 per affected user). This law applies to any business that owns or licenses the protected information of UT residents.

Name of Law / Statute

Protection of Personal Information Act

Definition of Protected Information

Combination of (1) name or other identifying info, PLUS (2) one or more of these "data" elements: SSN; driver's license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes.

Who Is Subject to Law?

Any business that owns or licenses PI of Utah residents

Notification of Consumers?

Yes, unless determination of no harm by business

By what means?

Written, electronic, phone, or newspaper

Substitute Notice Threshold?


Notification of authorities / regulators required?


By what means?


Regulatory Fines

Up to $2,500/consumer, cap at $100k in aggregate per incident

Credit monitoring requirement?


Private lawsuits allowed?


Private damages cap?


Regulatory actions allowed?


HIPAA Compliance exemption?


Other  (e.g., timeframe)

Law does not apply if PI was encrypted or otherwise secured or modified to protect PI

Link to complete law

Utahs' data breach law

Read the full text of Utah’s data breach law for more information.

70% of businesses raise prices or cut hiring when sued