Several Utah voters who turned to the state’s "at‑risk" privacy form say the personal details they handed over are now locked inside a cloud system they cannot get wiped. One woman filed for protection after her home address was shared online and says the automatic reply to her plea showed the message came from Salesforce. That detail has left other residents uneasy about what might be searchable, and for how long.
How the form worked
A KSL-TV Investigates report found that at least 5,400 Utahns submitted information through the lieutenant governor’s at‑risk form, and that voter registration information for more than 1,000,000 Utah voters was accessible through the same systems. According to KSL, the lieutenant governor’s office uses Salesforce to route constituent feedback, and the forms it receives are generally forwarded to county clerks within a couple of business days. The at‑risk submission collected a filer’s name, date of birth, address, contact information, and an explanation of why the person was requesting privacy protections.
Salesforce's stance
Salesforce, the third‑party CRM platform involved, emphasizes in its legal and privacy materials that "security and privacy are top priorities" and that it does not acquire ownership rights in customer data or sell customer information to third parties, according to the company’s public policies. Those documents and program terms stress that customers, not Salesforce, decide how data is configured, who can get into it, and how long it is retained on the platform.
Security experts warn
Local cybersecurity professionals told KSL-TV that platforms like Salesforce can be operated safely, but only if access is tightly limited, exports are disabled and data is encrypted and logged. Earl Foote, founder of Nexus IT Consultants, warned that the information collected on the forms "could be used for identity theft," and other experts recommended treating at‑risk submissions as high‑risk data rather than ordinary constituent email. Their common advice was to lock down exports, require strict role‑based access, and maintain an auditable trail of who viewed or moved records.
Records rules complicate removal
Technical controls are only part of the story. State records retention rules matter too. The Utah Division of Archives and Records Service explains that executive correspondence, which can include constituent emails and forms, is typically retained for about five years before a preservation copy is transferred to the State Archives for permanent retention. That schedule can make a straightforward deletion or "take‑down" request difficult if an agency has already created a preservation copy.
Under state public‑records rules, some personal information can be redacted if disclosure would be a clearly unwarranted invasion of privacy, but procedures and standards vary by office and by county. Open‑government guides note that GRAMA (Utah’s Government Records Access and Management Act) provides the framework for requests, appeals, and redactions, and that voters may need to work with both the lieutenant governor’s office and their county clerk to seek relief.
For now, security consultants and privacy advocates say the fastest fixes are technical: stop exporting sensitive fields into broadly searchable views, add strict logging and auditing, encrypt sensitive columns, and route at‑risk claims through a separate, access‑restricted workflow. Longer term, the situation has prompted calls for clearer policy about what belongs in constituent CRMs and what should be handled through more guarded case‑management systems that are designed for sensitive data.
