UTAH DATA BREACH NOTIFICATION PACKET

(Template – Letter to Utah Attorney General & Utah Residents)

[// GUIDANCE: This template is designed to satisfy the Utah Protection of Personal Information Act, Utah Code Ann. § 13-44-101 et seq. (“UPPIA”). Edit all bracketed placeholders, delete guidance comments before issuing, and confirm final form against the statute in force on the date of issuance.]

TABLE OF CONTENTS

1. Document Header
2. Definitions
3. Attorney General Notification Letter (Form A)
4. Resident/Consumer Notification Letter (Form B)
5. Exhibits & Optional Enclosures

1. DOCUMENT HEADER

Document Title: Utah Data Breach Notification Packet
Prepared For: [COMPANY LEGAL NAME], a [STATE OF INCORPORATION] [ENTITY TYPE] (“Company”)
Effective Date of Notice: [____] (“Notice Date”)
Utah Governing Law: Utah Code Ann. § 13-44-101 et seq.
Notice Delivery Deadline: 45 days from Breach Determination Date (per UPPIA)

2. DEFINITIONS

For ease of reference in both Form A and Form B:

“Breach” means a compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable likelihood of resulting in, the unauthorized acquisition of Personal Information.

“Breach Determination Date” means the date on which Company concluded, after a reasonable and prompt investigation, that Personal Information of Utah Residents was acquired by an unauthorized person.

“Incident Date” means the first date on which the Breach is believed to have occurred (or the best estimate if the exact date is unknown).

“Personal Information” or “PI” has the meaning given in Utah Code Ann. § 13-44-102(5).

“Utah Resident” means an individual who is a resident of the State of Utah and whose PI was, or is reasonably believed to have been, acquired in the Breach.

3. FORM A – ATTORNEY GENERAL NOTIFICATION LETTER

[ON COMPANY LETTERHEAD]

[Date]

Utah Attorney General’s Office
Data Breach Notification Coordinator
350 North State Street, Suite 230
Salt Lake City, UT 84114
E-mail: [email protected]
Re: Data Breach Notification – [COMPANY LEGAL NAME]

Dear Sir or Madam:

Pursuant to Utah Code Ann. § 13-44-202, [COMPANY LEGAL NAME] (“Company”) hereby provides notice of a data breach involving Utah Residents.

1. Breach Determination Date: [DATE]
2. Incident Date & Duration: [DATE RANGE OR “Undetermined; investigation ongoing”]
3. Discovery Date: [DATE]
4. Approximate Number of Utah Residents Affected: [###]
5. Total Individuals Affected (All Jurisdictions): [###]
6. Types of Personal Information Involved:
   • [Social Security numbers]
   • [Driver license or state ID numbers]
   • [Financial account numbers + access codes]
   • [Other — specify]
7. Brief Description of Event:
   On [Incident Date], Company detected [e.g., unauthorized access to its network via phishing e-mail], resulting in potential acquisition of the PI listed above.
8. Remediation & Containment Measures:
   • Contained unauthorized access on [DATE].
   • Engaged third-party cybersecurity firm on [DATE].
   • Reset user credentials, enhanced MFA, and deployed endpoint monitoring.
9. Consumer Notification:
   Company intends to mail written notice to affected Utah Residents beginning on or before [DATE — must be ≤ 45 days after Breach Determination Date], in substantially the form attached hereto as Form B.
10. Law-Enforcement Coordination:
    [Yes/No] – Company contacted [LAW-ENFORCEMENT AGENCY] on [DATE]; request for delayed notice [has/has not] been made.
11. Point of Contact:
    [NAME, TITLE]
    [ADDRESS]
    Tel: [(###) ###-####]
    E-mail: [EMAIL]

Please contact the undersigned should you require additional information.

Sincerely,

[NAME]
[Title]
[COMPANY LEGAL NAME]
[// GUIDANCE: Attach Form B (consumer notice), a list of affected Utah Residents (if requested securely), and any additional documentation requested by the AG.]

4. FORM B – RESIDENT/CONSUMER NOTIFICATION LETTER

[ON COMPANY LETTERHEAD]

[Date]

[First Name Last Name]
[Street Address]
[City, State ZIP]

Subject: Notice of Data Breach

Dear [First Name],

We are writing to inform you of a data security incident that may have involved your personal information. Protecting your information is of the utmost importance to us, and we sincerely regret any concern this may cause.

1. What Happened
   On [Incident Date], we discovered unauthorized activity in our [system description]. Our investigation, completed on [Breach Determination Date], determined that an unauthorized person may have accessed certain files containing personal information of Utah Residents, including yours.

2. What Information Was Involved
   The information may have included one or more of the following: [Social Security number], [driver license or state identification number], [financial account number + access code], [medical/health insurance information], and [other]. Importantly, the incident did not involve [specify if certain data was not affected, e.g., credit-card numbers or passwords, if applicable].

3. What We Are Doing
   • Immediately secured the affected systems and engaged a leading cybersecurity firm.
   • Notified law enforcement and the Utah Attorney General.
   • Implemented enhanced security measures, including multi-factor authentication and continuous monitoring.
   • Offering you [12/24] months of complimentary credit monitoring and identity-theft protection services through [VENDOR NAME].
   • Established a dedicated call center and e-mail support team.

4. What You Can Do
   We encourage you to:
   • Enroll in the complimentary credit monitoring service by [ENROLLMENT DEADLINE]; your activation code is [CODE].
   • Review account statements and credit reports for unauthorized activity.
   • Consider placing a fraud alert or security freeze on your credit file.
   • Change any passwords or security questions you use for Company accounts or elsewhere, particularly if they are similar.

Contact information for the major consumer reporting agencies is provided below:

• Equifax: 1-800-685-1111 | www.equifax.com
• Experian: 1-888-397-3742 | www.experian.com
• TransUnion: 1-800-680-7289 | www.transunion.com

For additional information on identity theft, you may visit the Federal Trade Commission at www.identitytheft.gov or call 1-877-ID-THEFT (1-877-438-4338).

5. For More Information
   If you have any questions, please contact our dedicated response team at [(###) ###-####] between [HOURS] or e-mail us at [EMAIL]. You may also write to us at [MAILING ADDRESS].

We value the trust you place in us and regret any inconvenience. Thank you for your attention to this important matter.

Sincerely,

[NAME]
[Title]
[COMPANY LEGAL NAME]

5. EXHIBITS & OPTIONAL ENCLOSURES

A. Sample Consumer Address List (Confidential)
B. Credit Monitoring Program Instructions
C. FAQ Sheet for Inbound Call Center
D. Incident Timeline (Internal Use Only)

[// GUIDANCE: Attach only materials legally required or judged useful; maintain confidentiality of personal data in transit. Consider encrypting electronic submissions and using secure portals where available.]

ADDITIONAL COMPLIANCE CHECKLIST

1. Confirm notice is issued “without unreasonable delay” and not later than 45 days after Breach Determination Date.
2. If ≥ 500 Utah Residents are affected, ensure AG notice is provided contemporaneously with or before resident notice.
3. If ≥ 1,000 individuals (any jurisdiction) are affected, notify all nationwide consumer reporting agencies.
4. Maintain written documentation of the investigation and decision-making process for at least five (5) years.
5. Preserve evidence in the event of regulatory inquiry or civil litigation.

[// GUIDANCE: Utah does not currently mandate specific penalties for late notice, but failure to comply may constitute a deceptive trade practice enforceable by the AG. Timely, accurate, and complete notice mitigates statutory exposure.]