63A-19-406. Data breach notice to individuals affected by data breach.
487 words·~2 min read·
/ut/title-63a/chapter-19/63a-19-406·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Effective 5/6/2026
63A-19-406. Data breach notice to individuals affected by data breach.
(a)Except as provided in Subsection (1)(b), a governmental entity shall provide cause a data breach notice to be sent to an individual or legal guardian of an individual affected by the data breach:
(i)after determining the scope of the data breach;
(ii)after restoring the reasonable integrity of the affected system, if necessary; and
(iii)without unreasonable delay except as provided in Subsection (2).
(b)A governmental entity or the governmental entity's contractor is not required to provide a data breach notice to an affected individual as described in Subsection (1)(a) if the:
(i)personal data involved in the data breach would be classified as a public record under Section 63G-2-301 ; and
(ii)the governmental entity prominently posts notice of the data breach on the homepage of the governmental entity's government website.
(2)A governmental entity or the governmental entity's contractor shall delay providing notification under Subsection
(1)at the request of a law enforcement agency that determines that notification may impede a criminal investigation, until the law enforcement agency informs the governmental entity that notification will no longer impede the criminal investigation.
(3)The data breach notice to an affected individual shall include:
(a)a description of the data breach;
(b)the individual's personal data that was accessed or may have been accessed;
(c)steps the governmental entity is taking or has taken to mitigate the impact of the data breach; and
(d)recommendations to the individual on how to protect the individual from identity theft and other financial losses.
(4)Unless the governmental entity reasonably believes that providing notification would pose a threat to the safety of an individual, or unless an individual has designated to the governmental entity a preferred method of communication, a governmental entity or the governmental entity's contractor shall provide notice by:
(i)email, if reasonably available and allowed by law; or
(ii)mail; and
(b)one of the following methods, if the individual's contact information is reasonably available and the method is allowed by law:
(i)text message with a summary of the data breach notice and instructions for accessing the full notice; or
(ii)telephone message with a summary of the data breach notice and instructions for accessing the full data breach notice.
(5)A governmental entity shall also provide a data breach notice in a manner that is reasonably calculated to have the best chance of being received by the affected individual or the legal guardian of an individual, such as through a press release, posting on appropriate social media accounts, or publishing notice in a newspaper of general circulation when:
(a)a data breach affects more than 500 individuals; and
(b)a governmental entity is unable to obtain an individual's contact information to provide notice for any method listed in Subsection (4).
Amended by Chapter 202 , 2026 General Session