Utah

In plain terms. Utah combines a personal-information protection law with a technology-governance act that centralizes state IT under a CIO and a Chief Information Security Officer, plus a newer government data-privacy act.

Who it applies to. State agencies and their IT vendors; the personal-information and data-privacy provisions also reach businesses handling Utah residents' data. Utah references NIST/FIPS.

What it requires. The Protection of Personal Information Act requires safeguarding personal data and notifying the Attorney General or the Utah Cyber Center of a security breach. The Technology Governance Act establishes the state CIO, a Chief Information Security Officer who assesses cybersecurity risks, and agency IT plans. The Government Data Privacy Act and Information Technology Act round out the framework.

Why it matters. Vendors handling Utah data face breach-notification duties to the state, and IT vendors must work within the state's centralized technology governance.

Citation. Utah Code Ann. §§ 13-44 (Protection of Personal Information Act, incl. § 13-44-202 breach notification), 63A-16 (Utah Technology Governance Act, incl. § 63A-16-210 Chief Information Security Officer), 63A-19 (Government Data Privacy Act), and 63D (Information Technology Act). References NIST/FIPS.

In plain terms. Utah's IT acquisition and use rules sit in the state Administrative Code.

Who it applies to. State agencies and their IT vendors.

What it requires. State rules govern the acquisition of information technology and the acceptable use of information-technology resources, setting expectations agencies follow when buying and operating IT.

Why it matters. Vendors selling IT to Utah should expect their products and engagements to align with the state's IT-acquisition rules.

Citation. Utah Admin. Code R895-5 (Acquisition of Information Technology) and R895-7 (Acceptable Use of Information Technology Resources).