May 8, 2015

Cover Story

30 Women to Watch

From the banking sector to the healthcare sector, the women we’re ho...Read More

Featured Articles


Topping the Charts


Your Name in the Game

Jay Bean: The Accidental Marketer

Virginia Pearce: Creating ‘Reel’ Opportunities for Utah’s Film Industry

Lessons Learned
Rising to the Challenge

Coding Boot Camps

Catchy and Concise

Business Trends
Crash Course

Living Well
Get Up and Move!

Legal Briefs
Hacked Again?!

Is Entrepreneurship for You?

Economic Insight
A Rising Tide

Around Utah
May Around Utah Facts

Industry Outlook
Commercial Real Estate

Special Report
Strength in Numbers

Special Section

Reader's Choice
Camp Snowbird: Exciting Summertime Mountain Fun

UB Voices
UB Voices by CBIZ MHM

UB Voices
UB Voices by CBRE

Editor's Note
Breaking the Glass Ceiling

Top Private Companies


Hacked Again?!

What to Know about Utah’s Data Breach Statute…for Now

By Romaine Marshall

May 8, 2015

Cybersecurity is no longer just a buzz word for IT personnel. It is a necessary talking point in boardrooms and business meetings. Last year alone, more than 1,000 businesses were subjected to cyber-attacks. About two-thirds of them learned about attacks on their networks from third parties. Just as embarrassing, most of them had been infiltrated for more than six months. They just didn’t know it.

As millions of consumers were subjected to “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees,” as is alleged in the pending class action against Target, hundreds of lawsuits and investigations were initiated by consumers, banks, regulators and shareholders. Little wonder a recent national survey of nearly 500 business directors found that cybersecurity is the No. 1 issue on their minds.

Utah’s Data Breach Statute

Most of the lawsuits and investigations involving cyber-attacks include common law claims for breach of contract or negligence, including claims against businesses for failure to provide adequate security to protect personal information and/or the failure to timely notify consumers that their personal information was breached or compromised. In Utah, a statutory basis exists for the attorney general to hold businesses liable for the same failures.

Under the Protection of Personal Information Act (the Utah Act), with few exceptions, businesses in Utah must implement and maintain reasonable procedures to prevent unlawful use or disclosure of personal information they collect or maintain. Personal information includes a person’s first name or first initial and last name combined with a social security number; a financial account number, or credit card or debit card number; or any security code, access code or password that would permit access to the person’s account; or driver’s license number.

When businesses that own or license computerized data that includes personal information become aware of a breach, they must determine the likelihood that personal information has been or will be misused, and if there is a likelihood, notify each person as soon as possible unless law enforcement asks them not to for investigative purposes. The only other reasons businesses may delay notification are to determine the scope of the breach and after restoring the reasonable integrity of their security systems.

Failure to comply with the Utah Act can subject businesses to civil fines up to $2,500 per consumer and up to $100,000 for related violations involving more than one consumer. While not an independent basis for liability for consumers to assert in private lawsuits, the Utah Act at least establishes a baseline of notification procedures businesses should follow when personal information has been breached or compromised.

Federal Response to Data Breach Landscape

After numerous executive orders, proposed guidelines and directives to establish a cybersecurity framework, the federal government is considering cybersecurity legislation that may preempt the Utah Act. On March 25, bipartisan legislation being referred to as the Data Security and Breach Notification Act of 2015 (DSBN) was submitted to Congress. As presently drafted, if enacted the DSBN would apply to most businesses, would preempt all state data breach notification laws, would only require businesses to notify consumers if breaches are likely to lead to economic harm, and would expand the definition of personal information. As a single standard, the DSBN would have obvious benefits for businesses over the existing patchwork and evolving legislation and standards. Importantly, the DSBN would be enforced by the Federal Trade Commission, which would have authority to issue uncapped civil penalties.     

For Cybersecurity, the Future is Now

The cybersecurity landscape is more complex than ever. Even leading cybersecurity experts admit they cannot prevent every intrusion or breach. Already there are cybersecurity issues relating to mobile apps and the Internet of Things, the network of embedded electronics, software and sensors that enable the exchange of data with manufacturers, operators and/or other connected devices (e.g., internet-connected TVs, gaming consoles and learning thermostats). Experts estimate that there will be 50 billion connected devices by 2020, as well as ubiquitous unmanned aircraft systems and autonomous robots also powered by big data and network connectivity.

Understanding cybersecurity legislation and industry standards is essential because they continue to evolve. Staying informed will be a challenge—and a necessity—for every growing business.

Romaine Marshall is a litigation and trial attorney at Holland & Hart based in Salt Lake City who represents clients in data intrusion, theft and loss cases. Tracy Gray is an intellectual property attorney at Holland & Hart based in Boulder who advises clients on data security, breach prevention and response strategies.      

Utah Business Social
UB Events View All
Community Events View All  |  90 South 400 West, Ste 650 Salt Lake City, Utah 84101   |  (801) 568-0114

Advertise with Utah Business

Submit an Event

* indicates required information
* Event Name:
Price (general):
Website (if applicable):
Coordinator's Name:
Coordinator's Email:
Coordinator's Phone:
Venue Name:
Venue Address:
Venue City:
Venue Zip:
Event Capacity:
* Event Description: