Utah Admin. Code R765-1010-4 - Significant Data Breaches

(1) Except as provided in Subsection (2), a data breach shall be significant if the education entity that maintains the personally identifiable student data released, accessed, or disclosed in the breach determines that there is a moderate or high probability of substantial harm to the student based on a risk assessment considering the following factors based on the totality of the circumstances:

(a) the nature and extent of the personally identifiable student data involved, including the types of identifiers and the likelihood of re-identification;

(b) the degree to which the release, access, or disclosure of the personally identifiable student data breached could be used for unlawful purposes including subjecting an affected student to an invasion of privacy, heightened risk of unlawful discrimination, or identity theft or fraud;

(c) the unauthorized person who used the personally identifiable student data or to whom the disclosure was made;

(d) the likelihood that an unauthorized person acquired or viewed the personally identifiable student data;

(e) the extent to which the education entity has mitigated the potential harm and risk to the student;

(f) the extent to which prompt notification would allow affected students to further mitigate the harm and risk to them in addition to the actions that the education entity can take itself; and

(g) other factors that affect the likelihood that the incident is likely to result in substantial harm to the student.

(2) A data breach may not be significant to the extent that the breach involves:

(a) any inadvertent or unintentional acquisition, access, or use of personally identifiable student data by an employee or other person acting under the authority of an education entity or third-party contractor to another employee or other person acting under the authority of an education entity or third-party contractor, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under 53B, Chapter 28, Part 5, Higher Education Student Data Protection, or 34 CFR Part 99, Family Educational Rights and Privacy;

(b) a disclosure of personally identifiable student data where an education entity or third-party contractor has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain, use, or disclose such student data;

(c) a disclosure of personally identifiable student data where the education entity has implemented safeguards, such as encryption, which the education entity has a good faith belief that makes the personally identifiable student data unreadable or unusable;

(d) a disclosure of personally identifiable student data that the education entity lawfully published or was otherwise lawfully in the public domain before the disclosure; or

(e) a disclosure of the personally identifiable student data of fewer than 25 individuals.

Notes

Utah Admin. Code R765-1010-4

Adopted by Utah State Bulletin Number 2024-05, effective 2/14/2024