Is Your Business Fully Compliant with Utah’s Cybersecurity Laws?

Businesses around the country are struggling with ongoing cybersecurity challenges: poor password security by users, confusing and often conflicting government requirements, an overabundance of data sources and third-party vendors who may or may not be following the same rigor when it comes to their security procedures. Each of these issues requires a full review and strategy session as well as the potential of remediation — time-consuming and tedious work that your overtaxed IT department is not looking forward to.

Ensuring that your business stays compliant with Utah cybersecurity laws means having a thorough understanding of the requirements and how they need to be interpreted for your business. Some of the recent legislation in Utah could mean that you need to quickly review your use and storage of personally identifiable information and make some immediate changes to your procedures.

PI and Data Breaches

The term “PI” refers to personal information, specifically defined by Utah law as a first name or first initial and last name combined with other items such as a social security number, credit or debit card number, access code, passwords, state ID number or driver’s license. These data points can be worth hundreds or even thousands of dollars on the dark web if hackers are able to infiltrate your storage systems. When data elements are being stored, not only do you have to worry about cybersecurity you also have to keep in mind the various data privacy laws that are cropping up around the country. Europe’s GDPR regulations were swiftly followed by California’s Consumer Privacy Act. Utah is one of several states that is also considering similar legislation that requires specific actions be taken in the event of a cybersecurity event.

Specifics of Utah’s Cybersecurity Law

Utah’s law requires that organizations put “reasonable procedures” in place to prevent the unlawful use or disclosure of personal information. However, the law does not fully define what constitutes reasonable procedures in this instance, but you can look at HIPAA’s Security Rule and data security regulations in Massachusetts and other states for guidance. Creating a secure environment for your entity’s data could include the following components:

  • Written cybersecurity or incident response plans that includes a thorough risk assessment
  • Maps that detail where data is stored, and documentation of who has access to any PI — either internally or externally
  • Specific policies around employee security and administrative procedures
  • Detailed plan in place for the deprecation of systems and destruction of user data
  • A communication strategy that includes sharing any potential breach information with customers
  • Third-party vendors must be vetted to ensure they are providing the same aggressive cybersecurity procedures as the entity
  • Data must be encrypted at rest and in transit

There are specific requirements around how and when sensitive records should be destroyed and when these actions should be taken, too. Data that is stored either digitally or in paper format must be fully destroyed in order to be compliant with Utah data protection laws.

At Nexus IT Consultants, we work with organizations of all sizes to define and implement best practices for data storage, transfer and deletion. As a Utah IT services company, we have a firm grasp of the state’s unique requirements in terms of data and cybersecurity and can help protect your business in the event of a breach. Contact our proactive team of professionals today at 801-839-7006 or chat with one of our friendly service agents online for a quick response.