Read the full stored bill text
20
63A-16-214
63A-16-1101
63A-16-1102
63A-16-1103
63A-16-1104
63C-27-201
63J-1-602.1
63A-16-214
63A-16-1101
63A-16-1102
63A-16-1103
63A-16-1104
63C-27-201
63J-1-602.1
0
Privacy and Cybersecurity Amendments
2026 GENERAL SESSION
STATE OF UTAH
Chief Sponsor: Wayne A. Harper
House Sponsor: Ryan D. Wilcox
LONG TITLE
General Description:
This bill modifies provisions related to the Utah Cyber Center.
Highlighted Provisions:
This bill:
adds the Department of Environmental Quality an as entity that the Utah Cyber Center
will collaborate with when performing legislative duties;
modifies the deadline for developing a statewide strategic cybersecurity plan;
expands the Utah Cyber Center's duties to include local education agencies;
modifies the composition of the Cybersecurity Commission to include a representative
from the Utah Education and Telehealth Network;
creates the Utah Cyber Center Restricted Account (account) and makes appropriations
from the account nonlapsing;
repeals a section related to government cybersecurity; and
makes technical and conforming changes.
Money Appropriated in this Bill:
None
Other Special Clauses:
None
Utah Code Sections Affected:
AMENDS:
63A-16-1101
Effective
05/06/26
, as enacted by Laws of Utah 2024, Chapter 426
63A-16-1102
Effective
05/06/26
, as last amended by Laws of Utah 2025, First Special
Session, Chapter 9
63A-16-1103
Effective
05/06/26
, as renumbered and amended by Laws of Utah 2024,
Chapter 426
63C-27-201
Effective
05/06/26
Repealed
07/01/32
, as enacted by Laws of Utah 2022,
Chapter 153
63J-1-602.1
Effective
05/06/26
, as last amended by Laws of Utah 2025, First Special
Session, Chapter 9
ENACTS:
63A-16-1104
Effective
05/06/26
, Utah Code Annotated 1953
REPEALS:
63A-16-214
Effective
05/06/26
, as enacted by Laws of Utah 2023, Chapter 484
Be it enacted by the Legislature of the state of Utah:
Section 1. Section
63A-16-1101
is amended to read:
63A-16-1101
Effective
05/06/26
. Definitions.
As used in this part:
(1)
"Cyber Center" means the Utah Cyber Center created in Section
63A-16-1102
.
(2)
"Data breach" means the unauthorized access, acquisition, disclosure, loss of access, or
destruction of:
(a)
personal data affecting 500 or more individuals; or
(b)
data that compromises the security, confidentiality, availability, or integrity of the
computer systems used or information maintained by the governmental entity.
(3)
"Governmental entity" means the same as that term is defined in Section
63G-2-103
.
(4)
"Local education agency" means the same as that term is defined in Section
53E-1-102
.
(4)
(5)
"Personal data" means information that is linked or can be reasonably linked to an
identified individual or an identifiable individual.
Section 2. Section
63A-16-1102
is amended to read:
63A-16-1102
Effective
05/06/26
. Utah Cyber Center -- Creation -- Duties.
(1)
(a)
There is created within the division the Utah Cyber Center.
(b)
The chief information security officer appointed under Section
63A-16-210
shall
serve as the director of the
Cyber Center
.
(2)
The division shall operate the Cyber Center in partnership with the following entities
within the Department of Public Safety created in Section
53-1-103
:
(a)
the Statewide Information and Analysis Center;
(b)
the State Bureau of Investigation created in Section
53-10-301
; and
(c)
the Division of Emergency Management created in Section
53-2a-103
.
(3)
In addition to the entities described in Subsection
(3)
(2)
, the Cyber Center shall
collaborate with:
(a)
the Cybersecurity Commission created in Section
63C-27-201
;
(b)
the Office of the Attorney General;
(c)
the Utah Education and Telehealth Network created in Section
53H-4-213.4
;
(d)
the Department of Environmental Quality created in Section
19-1-104
;
(e)
appropriate federal partners, including the Federal Bureau of Investigation and the
Cybersecurity and Infrastructure Security Agency;
(e)
(f)
appropriate information sharing and analysis centers;
(f)
(g)
information technology directors, cybersecurity professionals, or equivalent
individuals representing political subdivisions in the state; and
(g)
(h)
any other person the division believes is necessary to carry out the duties
described in Subsection
(4)
.
(4)
The Cyber Center shall, within legislative appropriations:
(a)
by
June 30, 2024
January 1, 2027
, develop a statewide strategic cybersecurity plan
for governmental entities;
(b)
with respect to executive branch agencies
and local education agencies
:
(i)
identify, analyze, and, when appropriate, mitigate cyber threats and vulnerabilities;
(ii)
coordinate cybersecurity resilience planning;
(iii)
provide cybersecurity incident response capabilities; and
(iv)
recommend to the division standards, policies, or procedures to increase the
cyber resilience of executive branch agencies individually or collectively;
(c)
at the request of a governmental entity
or local education agency
, coordinate
cybersecurity incident response for a data breach affecting the governmental entity
or
local education agency
in accordance with Section
63A-19-405
;
(d)
promote cybersecurity
standards and
best practices
for governmental entities and
local education agencies in alignment with the controls published by the Center for
Internet Security
;
(e)
share cyber threat intelligence with governmental entities and, through the Statewide
Information and Analysis Center, with other public and private sector organizations;
(f)
serve as the state cybersecurity incident response repository to receive reports of
breaches of system security, including notification or disclosure under Section
13-44-202
and data breaches under Section
63A-16-1103
;
(g)
develop incident response plans to coordinate federal, state, local, and private sector
activities and manage the risks associated with an attack or malfunction of critical
information technology systems within the state;
(h)
coordinate, develop, and share best practices for cybersecurity resilience in the state;
(i)
identify sources of funding to make cybersecurity improvements throughout the state;
(j)
develop a sharing platform to provide resources based on information,
recommendations, and best practices; and
(k)
partner with institutions of higher education and other public and private sector
organizations to increase the state's cyber resilience.
Section 3. Section
63A-16-1103
is amended to read:
63A-16-1103
Effective
05/06/26
. Assistance to governmental entities and local
education agencies -- Records.
(1)
The Cyber Center shall provide a governmental entity
or local education agency
with
assistance in responding to a data breach reported under Section
63A-19-405
, which
may include:
(a)
conducting all or part of an internal investigation into the data breach;
(b)
assisting law enforcement with the law enforcement investigation if needed;
(c)
determining the scope of the data breach;
(d)
assisting the governmental entity in restoring the reasonable integrity of the system;
or
(e)
providing any other assistance in response to the reported data breach.
(2)
(a)
A governmental entity that is required to submit information under Section
63A-19-405
shall provide records to the Cyber Center as a shared record in
accordance with Section
63G-2-206
.
(b)
The following information may be deemed confidential and may only be shared as
provided in Section
63G-2-206
:
(i)
the information provided to the Cyber Center by a governmental entity under
Section
63A-19-405
; and
(ii)
information produced by the Cyber Center in response to a report of a data breach
under Subsection
(1)
.
Section 4. Section
63A-16-1104
is enacted to read:
63A-16-1104
Effective
05/06/26
. Utah Cyber Center Restricted Account --
Creation -- Funding -- Uses.
(1)
There is created within the General Fund a restricted account known as the "Utah Cyber
Center Restricted Account."
(2)
The restricted account consists of:
(a)
appropriations made to the account by the Legislature;
(b)
federal grant funding;
(c)
private donations, grants, gifts, or bequests; and
(d)
interest earned on the account.
(3)
The Cyber Center shall administer the account.
(4)
Subject to appropriations, the Cyber Center shall use restricted account money for:
(a)
developing and implementing the statewide strategic cybersecurity plan;
(b)
providing cybersecurity tools, services, and incident response capabilities to
governmental entities and local education agencies;
(c)
conducting cybersecurity assessments and audits for governmental entities and local
education agencies;
(d)
providing cybersecurity training and awareness programs;
(e)
acquiring and maintaining cybersecurity technology and infrastructure;
(f)
supporting cyber threat intelligence sharing activities; and
(g)
any other activities necessary to carry out the duties described in Section
63A-16-1102
.
(5)
The interest earned on account money shall be deposited into the account.
Section 5. Section
63C-27-201
is amended to read:
63C-27-201
Effective
05/06/26
Repealed
07/01/32
. Cybersecurity Commission
created.
(1)
There is created the Cybersecurity Commission.
(2)
The commission shall be composed
of 24
of the following
members:
(a)
one member the governor designates to serve as the governor's designee;
(b)
the commissioner of the Department of Public Safety;
(c)
the lieutenant governor, or an election officer, as that term is defined in Section
20A-1-102
, the lieutenant governor designates to serve as the lieutenant governor's
designee;
(d)
the chief information officer of the Division of Technology Services;
(e)
the chief information security officer, as described in Section
63A-16-210
;
(f)
the chairman of the Public Service Commission shall designate a representative with
professional experience in information technology or cybersecurity;
(g)
the executive director of the
Utah
Department of Transportation shall designate a
representative with professional experience in information technology or
cybersecurity;
(h)
the director of the Division of Finance shall designate a representative with
professional experience in information technology or cybersecurity;
(i)
the executive director of the Department of Health and Human Services shall
designate a representative with professional experience in information technology or
cybersecurity;
(j)
the director of the Division of Indian Affairs shall designate a representative with
professional experience in information technology or cybersecurity;
(k)
the Utah League of Cities and Towns shall designate a representative with
professional experience in information technology or cybersecurity;
(l)
the Utah Association of Counties shall designate a representative with professional
experience in information technology or cybersecurity;
(m)
the attorney general, or the attorney general's designee;
(n)
the commissioner of financial institutions, or the commissioner's designee;
(o)
the executive director of the Department of Environmental Quality shall designate a
representative with professional experience in information technology or
cybersecurity;
(p)
the executive director of the Department of Natural Resources shall designate a
representative with professional experience in information technology or
cybersecurity;
(q)
the highest ranking information technology official, or the official's designee, from
each of:
(i)
the Judicial Council;
(ii)
the Utah Board of Higher Education;
(iii)
the State Board of Education;
(iv)
the Utah Education and Telehealth Network;
and
(iv)
(v)
the State Tax Commission;
(r)
the governor shall appoint:
(i)
one representative from the Utah National Guard; and
(ii)
one representative from the Governor's Office of Economic Opportunity;
(s)
the president of the Senate shall appoint one member of the Senate; and
(t)
the speaker of the House of Representatives shall appoint one member of the House
of Representatives.
(3)
(a)
The governor's designee shall serve as cochair of the commission.
(b)
The commissioner of the Department of Public Safety shall serve as cochair of the
commission.
(4)
(a)
The members described in Subsection
(2)
shall represent urban, rural, and
suburban population areas.
(b)
No fewer than half of the members described in Subsection
(2)
shall have
professional experience in cybersecurity or in information technology.
(5)
In addition to the membership described in Subsection
(2)
, the commission shall seek
information and advice from state and private entities with expertise in critical
infrastructure.
(6)
As necessary to improve information and protect potential vulnerabilities, the
commission shall seek information and advice from federal entities including:
(a)
the Cybersecurity and Infrastructure Security Agency;
(b)
the Federal Energy Regulatory Commission;
(c)
the Federal Bureau of Investigation; and
(d)
the United States Department of Transportation.
(7)
(a)
Except as provided in Subsections
(7)(b)
and
(c)
, a member is appointed for a
term of four years.
(b)
A member shall serve until the member's successor is appointed and qualified.
(c)
Notwithstanding the requirements of Subsection
(7)(a)
, the governor shall, at the
time of appointment or reappointment, adjust the length of terms to ensure that the
terms of commission members are staggered so that approximately half of the
commission members appointed under Subsection
(2)(r)
are appointed every two
years.
(8)
(a)
If a vacancy occurs in the membership of the commission, the member shall be
replaced in the same manner in which the original appointment was made.
(b)
An individual may be appointed to more than one term.
(c)
When a vacancy occurs in the membership for any reason, the replacement shall be
appointed for the unexpired term.
(9)
(a)
A majority of the members of the commission is a quorum.
(b)
The action of a majority of a quorum constitutes an action of the commission.
(10)
The commission shall meet at least two times a year.
Section 6. Section
63J-1-602.1
is amended to read:
63J-1-602.1
Effective
05/06/26
. List of nonlapsing appropriations from
accounts and funds.
Appropriations made from the following accounts or funds are nonlapsing:
(1)
The Native American Repatriation Restricted Account created in Section
9-9-407
.
(2)
Certain money payable for expenses of the Pete Suazo Utah Athletic Commission, as
provided under Title
9, Chapter 23
, Pete Suazo Utah Athletic Commission Act.
(3)
Funds collected for directing and administering the C-PACE district created in Section
11-42a-106
.
(4)
Money received by the Utah Inland Port Authority, as provided in Section
11-58-105
.
(5)
The Commerce Electronic Payment Fee Restricted Account created in Section
13-1-17
.
(6)
The Division of Air Quality Oil, Gas, and Mining Restricted Account created in Section
19-2a-106
.
(7)
The Division of Water Quality Oil, Gas, and Mining Restricted Account created in
Section
19-5-126
.
(8)
State funds for matching federal funds in the Children's Health Insurance Program as
provided in Section
26B-3-906
.
(9)
Funds collected from the program fund for local health department expenses incurred in
responding to a local health emergency under Section
26B-7-111
.
(10)
The Technology Development Restricted Account created in Section
31A-3-104
.
(11)
The Criminal Background Check Restricted Account created in Section
31A-3-105
.
(12)
The Captive Insurance Restricted Account created in Section
31A-3-304
, except to the
extent that Section
31A-3-304
makes the money received under that section free revenue.
(13)
The Title Licensee Enforcement Restricted Account created in Section
31A-23a-415
.
(14)
The Health Insurance Actuarial Review Restricted Account created in Section
31A-30-115
.
(15)
The State Mandated Insurer Payments Restricted Account created in Section
31A-30-118
.
(16)
The Insurance Fraud Investigation Restricted Account created in Section
31A-31-108
.
(17)
The Underage Drinking Prevention Media and Education Campaign Restricted
Account created in Section
32B-2-306
.
(18)
The School Readiness Restricted Account created in Section
35A-15-203
.
(19)
Money received by the Utah State Office of Rehabilitation for the sale of certain
products or services, as provided in Section
35A-13-202
.
(20)
The Property Loss Related to Homelessness Compensation Enterprise Fund created in
Section
35A-16-212
.
(21)
The Homeless Shelter Cities Mitigation Restricted Account created in Section
35A-16-402
.
(22)
The Oil and Gas Administrative Penalties Account created in Section
40-6-11
.
(23)
The Oil and Gas Conservation Account created in Section
40-6-14.5
.
(24)
The Division of Oil, Gas, and Mining Restricted account created in Section
40-6-23
.
(25)
The Electronic Payment Fee Restricted Account created by Section
41-1a-121
to the
Motor Vehicle Division.
(26)
The License Plate Restricted Account created by Section
41-1a-122
.
(27)
The Motor Vehicle Enforcement Division Temporary Permit Restricted Account
created by Section
41-3-110
to the State Tax Commission.
(28)
The State Disaster Recovery Restricted Account to the Division of Emergency
Management, as provided in Section
53-2a-603
.
(29)
The Disaster Response, Recovery, and Mitigation Restricted Account created in
Section
53-2a-1302
.
(30)
The Emergency Medical Services Critical Needs Account created in Section
53-2d-110
.
(31)
The Department of Public Safety Restricted Account to the Department of Public
Safety, as provided in Section
53-3-106
.
(32)
The Utah Highway Patrol Aero Bureau Restricted Account created in Section
53-8-303
.
(33)
The DNA Specimen Restricted Account created in Section
53-10-407
.
(34)
The Technical Colleges Capital Projects Fund created in Section
53H-9-605
.
(35)
The Higher Education Capital Projects Fund created in Section
53H-9-502
.
(36)
A certain portion of money collected for administrative costs under the School
Institutional Trust Lands Management Act, as provided under Section
53C-3-202
.
(37)
The Public Utility Regulatory Restricted Account created in Section
54-5-1.5
, subject
to Subsection
54-5-1.5(4)(d)
.
(38)
Funds collected from a surcharge fee to provide certain licensees with access to an
electronic reference library, as provided in Section
58-3a-105
.
(39)
Certain fines collected by the Division of Professional Licensing for violation of
unlawful or unprofessional conduct that are used for education and enforcement
purposes, as provided in Section
58-17b-505
.
(40)
Funds collected from a surcharge fee to provide certain licensees with access to an
electronic reference library, as provided in Section
58-22-104
.
(41)
Funds collected from a surcharge fee to provide certain licensees with access to an
electronic reference library, as provided in Section
58-55-106
.
(42)
Funds collected from a surcharge fee to provide certain licensees with access to an
electronic reference library, as provided in Section
58-56-3.5
.
(43)
Certain fines collected by the Division of Professional Licensing for use in education
and enforcement of the Security Personnel Licensing Act, as provided in Section
58-63-103
.
(44)
The Relative Value Study Restricted Account created in Section
59-9-105
.
(45)
The Cigarette Tax Restricted Account created in Section
59-14-204
.
(46)
Funds paid to the Division of Real Estate for the cost of a criminal background check
for a mortgage loan license, as provided in Section
61-2c-202
.
(47)
Funds paid to the Division of Real Estate for the cost of a criminal background check
for principal broker, associate broker, and sales agent licenses, as provided in Section
61-2f-204
.
(48)
Certain funds donated to the Department of Health and Human Services, as provided
in Section
26B-1-202
.
(49)
Certain funds donated to the Division of Child and Family Services, as provided in
Section
80-2-404
.
(50)
Funds collected by the Office of Administrative Rules for publishing, as provided in
Section
63G-3-402
.
(51)
The Immigration Act Restricted Account created in Section
63G-12-103
.
(52)
Money received by the military installation development authority, as provided in
Section
63H-1-504
.
(53)
The Unified Statewide 911 Emergency Service Account created in Section
63H-7a-304
.
(54)
The Utah Statewide Radio System Restricted Account created in Section
63H-7a-403
.
(55)
The Utah Capital Investment Restricted Account created in Section
63N-6-204
.
(56)
The Motion Picture Incentive Account created in Section
63N-8-103
.
(57)
Funds collected by the housing of state probationary inmates or state parole inmates, as
provided in Subsection
64-13e-104(2)
.
(58)
Certain forestry and fire control funds utilized by the Division of Forestry, Fire, and
State Lands, as provided in Section
65A-8-103
.
(59)
The following funds or accounts created in Section
72-2-124
:
(a)
Transportation Investment Fund of 2005;
(b)
Transit Transportation Investment Fund;
(c)
Cottonwood Canyons Transportation Investment Fund;
(d)
Active Transportation Investment Fund; and
(e)
Commuter Rail Subaccount.
(60)
The Amusement Ride Safety Restricted Account, as provided in Section
72-16-204
.
(61)
Certain funds received by the Office of the State Engineer for well drilling fines or
bonds, as provided in Section
73-3-25
.
(62)
The Water Resources Conservation and Development Fund, as provided in Section
73-23-2
.
(63)
Award money under the State Asset Forfeiture Grant Program, as provided under
Section
77-11b-403
.
(64)
Funds donated or paid to a juvenile court by private sources, as provided in Subsection
78A-6-203(1)(c)
.
(65)
Fees for certificate of admission created under Section
78A-9-102
.
(66)
Funds collected for adoption document access as provided in Sections
81-13-103
,
81-13-504
, and
81-13-505
.
(67)
Funds collected for indigent defense as provided in Title
78B, Chapter 22, Part 4
, Utah
Indigent Defense Commission.
(68)
The Utah Geological Survey Restricted Account created in Section
79-3-403
.
(69)
Revenue for golf user fees at the Wasatch Mountain State Park, Palisades State Park,
and Green River State Park, as provided under Section
79-4-403
.
(70)
Certain funds received by the Division of State Parks from the sale or disposal of
buffalo, as provided under Section
79-4-1001
.
(71)
The Utah Cyber Center Restricted Account created in Section
63A-16-1104
.
Section 7.
Repealer.
Zero trust architectures -- Implementation -- Requirements --
Reporting.
Section 8.
Effective Date.
This bill takes effect on
May 6, 2026
.
3-11-26 1:36 PM