Utah Cybersecurity Laws You Should Know (2025)

Mitch Wolverton

As cyberattacks continue to rise across industries, Utah businesses face increasing pressure to protect sensitive data and comply with both state and federal regulations. Understanding Utah cybersecurity laws is essential for keeping customer information secure, maintaining trust, and avoiding penalties. Below, we break down the key cybersecurity laws that apply to Utah organizations in 2025.

Utah Cybersecurity Laws

Utah Consumer Privacy Act (UCPA) (Utah Code Ann. § 13-61-101 et seq.)

The Utah Consumer Privacy Act (UCPA), effective December 31, 2023, is the state’s first comprehensive data privacy law. It gives Utah residents greater control over their personal information and imposes new obligations on businesses.

The UCPA applies to companies that:

  • Generate at least $25 million in annual revenue, and
  • Process the personal data of 100,000 or more consumers annually, or
  • Process data of 25,000 or more consumers while deriving over 50% of revenue from selling personal data.

Consumers have the right to access and delete their personal data and opt out of targeted advertising or data sales. Enforcement is handled by the Utah Attorney General, with potential civil penalties of up to $7,500 per violation.

Utah Data Breach Notification Act (Utah Code Ann. § 13-44-101 et seq.)

The Utah Data Breach Notification Act requires businesses and state agencies to notify affected individuals without unreasonable delay when personal information is compromised.

If the breach affects more than 500 Utah residents, businesses must also notify the Utah Attorney General and the Utah Consumer Protection Division. The notification must specify the types of information exposed and the steps taken to prevent further harm.

Utah Protection of Personal Information Act (Utah Code Ann. § 13-44-201 et seq.)

This law mandates that businesses maintain reasonable security procedures to protect personal identifying information (PII). It also requires secure disposal of sensitive data once it is no longer needed.

Utah Computer Crimes Act (Utah Code Ann. § 76-6-703 et seq.)

The Utah Computer Crimes Act makes it a crime to access or alter computer systems, data, or networks without authorization. Offenses include hacking, phishing, data theft, and distributing malicious software. Penalties range from misdemeanors to felonies depending on the extent of damage and intent.

Utah Electronic Signatures Act (Utah Code Ann. § 46-4-101 et seq.)

The Utah Electronic Signatures Act validates electronic records and signatures, giving them the same legal weight as traditional documents. Businesses must implement safeguards to prevent unauthorized access or tampering with electronic data.

Federal and Industry-Specific Cybersecurity Regulations That Affect Utah Businesses

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS applies to Utah businesses that handle credit card data. It mandates encryption, access control, and regular vulnerability testing to prevent payment data breaches.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA applies to Utah healthcare providers and their business associates managing personal health information (PHI). It requires administrative, technical, and physical safeguards for protecting patient data.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions in Utah must comply with GLBA, which requires written information security programs, consumer privacy notices, and employee cybersecurity training.

General Data Protection Regulation (GDPR)

GDPR applies to Utah businesses collecting or processing personal data of EU citizens. It requires explicit consent and provides individuals with rights to access, correct, or delete their personal data.

Cybersecurity Requirements for Financial Services Companies (NYDFS 23 NYCRR 500)

Utah financial institutions operating in New York must comply with NYDFS cybersecurity regulations, which include multifactor authentication, encryption, and incident reporting.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework is widely used by Utah’s manufacturing, defense, and technology sectors to identify, protect, detect, respond to, and recover from cybersecurity incidents.

Federal Trade Commission (FTC) Act

The FTC Act requires Utah businesses to adopt reasonable security measures and prohibits deceptive practices related to privacy or data protection.

Children’s Online Privacy Protection Act (COPPA)

If your Utah business collects personal information from children under 13, COPPA applies. It requires verified parental consent and restricts data sharing.

Sarbanes-Oxley Act (SOX)

Publicly traded companies in Utah must comply with SOX, which enforces secure financial reporting and internal controls against data manipulation.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student educational records and applies to Utah schools and organizations that handle educational data.

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

CIRCIA requires Utah critical infrastructure entities, including those in energy, defense, and utilities, to report major cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.

CAN-SPAM Act

The CAN-SPAM Act governs email marketing practices, requiring truthful subject lines, accurate sender information, and clear unsubscribe options.

Defense Federal Acquisition Regulation Supplement (DFARS)

Utah defense contractors must comply with DFARS cybersecurity requirements aligned with NIST SP 800-171, ensuring the protection of controlled unclassified information.

Section 5 of the FTC Act (Unfair or Deceptive Practices)

Section 5 prohibits deceptive or negligent cybersecurity practices, holding Utah businesses accountable for failing to protect consumer data.

More Utah Cybersecurity Laws to Be Aware Of

The Utah Department of Technology Services (DTS) oversees cybersecurity initiatives for government agencies and promotes collaboration between public and private entities to improve statewide cyber resilience.

Private-sector organizations are encouraged to:

  • Conduct annual cybersecurity risk assessments
  • Encrypt sensitive data in storage and transit
  • Maintain written incident response plans
  • Adopt frameworks such as NIST, CIS Controls, or ISO 27001

These actions enhance compliance readiness and protect against threats like ransomware, phishing, and insider attacks.

Conclusion

Compliance with Utah cybersecurity laws is vital for any organization operating in the state. With the Utah Consumer Privacy Act now in effect, businesses must focus on transparency, data protection, and responsible handling of personal information.

If your organization needs support managing compliance or building a stronger cybersecurity framework, we provide solutions designed to keep Utah businesses secure and compliant.

Frequently Asked Questions About Utah Cybersecurity Laws

  1. What is Utah’s main cybersecurity law?
    The Utah Consumer Privacy Act (UCPA) is the state’s main data privacy and cybersecurity law, effective December 31, 2023.
  2. How soon must Utah businesses report a data breach?
    They must notify affected individuals without unreasonable delay and inform the Attorney General if the breach impacts more than 500 residents.
  3. Who enforces cybersecurity laws in Utah?
    The Utah Attorney General’s Office enforces the UCPA and other consumer protection and cybersecurity laws.
  4. What penalties exist for noncompliance with the UCPA?
    Violations can result in civil penalties of up to $7,500 per violation.
  5. What cybersecurity frameworks are recommended for Utah businesses?
    Frameworks such as NIST and ISO 27001 are recommended for managing risk and demonstrating compliance.

Read More Cybersecurity Laws by State:

Florida Cybersecurity Laws You Should Know (2025)

Ohio Cybersecurity Laws You Should Know (2025)

Virginia Cybersecurity Laws You Should Know (2025)

North Carolina Cybersecurity Laws You Should Know (2025)

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Readers should consult qualified legal counsel for advice specific to their organization or situation.

Mitch Wolverton

Mitch, Marketing Manager at PivIT Strategy, brings over many years of marketing and content creation experience to the company. He began his career as a content writer and strategist, honing his skills on some of the industry’s largest websites, before advancing to specialize in SEO and digital marketing at PivIT Strategy.