(1) An LEA shall report a data breach to the Cyber Center:
- (a) in accordance with Section 63A-19-405; and
- (b) consistent with standards and procedures established in rule under Subsection 63C-27-202(9).
(2) In addition to the requirements in Section 63A-19-405, an LEA shall:
- (a) notify the state board within 24 hours of discovering the data breach;
- (b) coordinate with UETN if the data breach involves network infrastructure or services provided by UETN; and
- (c) cooperate with the Cyber Center's investigation and response efforts.
- (3) The Cyber Center shall provide assistance to an LEA in responding to a data breach in the same manner the Cyber Center provides assistance to a governmental entity as described in Title 63A, Chapter 16, Part 11, Utah Cyber Center.
(4) An LEA shall:
- (a) participate in cybersecurity information sharing initiatives coordinated by the Cyber Center;
- (b) designate a primary point of contact for cybersecurity matters who shall interface with the Cyber Center, the state board, and UETN; and
- (c) cooperate with statewide cybersecurity assessments and improvement initiatives.
(5)
- (a) A regional education service agency, as that term is defined in Section 53G-4-410, may serve as the designated primary cybersecurity contact for multiple LEAs within the service area.
(b) If a regional education service agency serves as the primary contact under Subsection (5)(a), the agency shall:
- (i) coordinate with the Cyber Center, the state board, and UETN on behalf of the participating LEAs;
- (ii) ensure each participating LEA meets the minimum cybersecurity standards established under Subsection 63C-27-202(9); and
- (iii) maintain documentation of cybersecurity services provided to each LEA.
Enacted by Chapter 170, 2026 General Session