Incident Response

Summary

Governmental entities are required to safeguard personal data in their possession. Incident response refers to a governmental entity’s systematic approach to address and manage security incidents or data breaches.

A governmental entity that identifies a data breach affecting 500 or more individuals must  notify the Cyber Center and the Attorney General’s Office. In addition, a governmental entity that identifies the unauthorized access, acquisition, disclosure, loss of access, or destruction of data that compromises the security, confidentiality, availability, or integrity of the computer systems used or information maintained by the governmental entity must provide notification to the Cyber Center. A governmental entity can report a breach at https://cybercenter.utah.gov/Report-a-Breach/

If a  governmental entity identifies the unauthorized access, unauthorized acquisition, unauthorized disclosure, loss of access, or unauthorized destruction of personal data that is used or is reasonably likely to be used to commit theft, fraud, or other criminal acts shall provide notification of the breach to each individual whose personal data is involved in the breach and the Attorney General’s Office.

Detailed requirements for providing notification of a data breach to an individual affected by the breach are described in Section 63A-19-406.