Section R708-48-12 - Records(1) The provider shall maintain the following client records: (a) documentation of each ignition interlock system activity provided to a client which include: (i) the client's: (C) driver license number and state of issuance; and(D) license plate number and state of issuance;(ii) the type of service provided;(iii) the exact date the service was performed;(iv) the name of the installer who performed each service; and(v) the name of the manufacturer and system serial number for the:(b) original copies of client contracts;(c) client responsibility forms;(d) original copies of receipts and invoices;(e) installation reports; and(f) certificates of calibration with serial numbers of the: (2) The provider shall: (a) store any client records in a location accessible to the division during normal business hours; and(b) store active client records in a single location in the service center.(3) The provider may store inactive client records in a single offsite storage location after one year has elapsed since the system was removed.(4) The provider shall maintain client records for a period of four years after the contractual obligation with the client has concluded.(5) Each provider shall review the records of the business every six months for completeness and accuracy.(6) The provider shall immediately file an affidavit with the division if any records the business is required to maintain are lost or destroyed which states:(a) the date the record was lost or destroyed;(b) the circumstances surrounding the loss or destruction;(c) the effect the loss may have on clients or the business's ability to fulfill requirements under this rule; and(d) a description of the contents of the records lost or destroyed.(7) In the event of a breach of data security, the provider shall:(a) notify the division immediately after becoming aware of a breach of data security;(b) cooperate with the state regarding recovery of data, remediation; and involvement of law enforcement;(c) bear the cost of notifying everyone whose personal information may have been compromised;(d) notify those individuals whose personal information may have been compromised in accordance with Title 13, Chapter 44, Protection of Personal Information Act;(e) perform an analysis to determine the cause of the breach;(f) produce a remediation plan to reduce the risk of incurring a similar type of breach in the future; and(g) present the analysis and remediation plan to the division within ten days of notifying the division of the breach of data security.(8)(a) The division has the right to adjust the plan under Subsection (6)(f), at its sole discretion.(b) If the provider cannot produce the required analysis and plan under Subsection (6)(f) within the allotted time, the state, in its sole discretion, may perform an analysis and produce a remediation plan that the provider shall comply with, at the provider's sole cost.(9) The provider shall: (a) ensure any client records, state records, and information remain confidential at all times; and(b) comply with state and federal laws, rules, and regulations concerning the confidentiality of information.Utah Admin. Code R708-48-12
Adopted by Utah State Bulletin Number 2024-06, effective 3/12/2024