A Utah accounting firm handles tax returns, financial statements, and payroll data for hundreds of clients. They know they need to “be compliant” but aren’t sure with what — or whether their current IT setup actually meets the requirements. Sound familiar?

Data privacy and compliance can feel overwhelming, especially for small businesses without a legal department or a compliance officer. Here’s a plain-English guide to the regulations that most likely affect your Utah business.

Utah Consumer Privacy Act (UCPA)

Utah’s own privacy law took effect on December 31, 2023. It applies to businesses that:

• Conduct business in Utah or target Utah consumers
• Have annual revenue of $25 million or more
• Control or process personal data of 100,000+ Utah consumers per year, OR process data of 25,000+ consumers and derive 50%+ of gross revenue from selling personal data

If your business meets those thresholds, UCPA requires you to provide consumers with privacy notices, allow them to opt out of data sales and targeted advertising, and implement reasonable data security practices.

Even if you’re below the thresholds, UCPA signals the direction privacy regulation is heading. Implementing good data handling practices now prepares you for when these requirements inevitably expand.

Industry-Specific Regulations

HIPAA (Healthcare)

If your Utah business handles protected health information (PHI) — as a healthcare provider, health plan, or business associate — HIPAA’s Security Rule requires specific administrative, physical, and technical safeguards:

• Encryption for PHI in transit and at rest
• Access controls limiting who can view patient data
• Audit logging of all PHI access
• Business Associate Agreements (BAAs) with vendors who access PHI
• Regular risk assessments
• Employee training on PHI handling

HIPAA violations carry fines from $100 to $50,000 per violation, up to $1.5 million annually. Utah’s healthcare sector — from hospital systems to small practices to home health agencies — is frequently targeted by both regulators and attackers.

PCI DSS (Payment Card Data)

If your business accepts credit or debit card payments, PCI DSS applies. The requirements scale with your transaction volume, but even the smallest merchants must maintain secure systems, protect cardholder data, and complete annual self-assessment questionnaires.

Financial Regulations

Utah’s financial services sector — trust companies, credit unions, wealth management firms — faces requirements from multiple regulators including the SEC, FINRA, FDIC, and the Utah Department of Financial Institutions. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect customer data and explain their information-sharing practices.

What Compliance Actually Requires (In IT Terms)

Strip away the legal language, and most compliance frameworks require the same core IT controls:

Access controls. Only authorized people access sensitive data. MFA, strong passwords, and role-based access enforce this technically.

Encryption. Data encrypted in transit (TLS/SSL) and at rest (BitLocker, database encryption). If a device is lost or stolen, encrypted data is unreadable.

Audit logging. Maintain logs of who accessed what data, when, and from where. Microsoft 365’s built-in audit logging covers email, SharePoint, and Teams access.

Data retention and disposal. Know how long you’re required to keep data and have a process for securely destroying it when retention periods expire.

Incident response. A documented plan for responding to data breaches, including notification procedures that meet your regulatory requirements.

Vendor management. Ensure that third-party vendors who access your data maintain appropriate security controls. This includes cloud providers, SaaS applications, and IT service providers.

Employee training. Regular security awareness training that covers data handling procedures, phishing recognition, and acceptable use policies.

Get Compliant Without the Headache

At Brivy IT, we help Utah businesses implement the technical controls required by HIPAA, PCI DSS, UCPA, and other frameworks. We don’t provide legal advice, but we handle the IT side — encryption, access controls, audit logging, backup, and security — so your compliance posture is solid. Reach out for a free compliance readiness assessment.