(1)(a) If a significant data breach occurs either at an educational entity or a third-party contractor using data disclosed by an educational entity, the educational entity shall notify each student in writing whose personally identifiable student data was disclosed.
- (b) The notification shall include all components of the model data breach notification prepared under Subsection 53H-14-502(4)(b)(iii). An education entity may add additional content to the notification.
- (c) The educational entity may communicate the notification by any written means that the education entity routinely uses for official communications with individual students.
- (2) An education entity that provides notice of a data breach to affected individuals as required under any other law is deemed to have met the requirements of this rule with regard to the individuals so notified.
- (3) For notifications regarding release, access, or disclosure of a record containing protected health information as defined in 45 CFR Part 164, Standards for Privacy of Individually Identifiable Health Information, the education entity shall comply with that part.
- (4) The Office of the Commissioner of Higher Education may develop and communicate to each institution guidelines for compliance with this rule.
KEY: Utah Board of Higher Education, Data Breaches, Student Data Protection
Date of Last Change: April 7, 2026
Authorizing, and Implemented or Interpreted Law: 53H-14-504