The bill amends the Identity Theft Protection Act of 2004 to enhance the protection of personal information by updating definitions and introducing new requirements for security breach notifications. Key changes include the clarification of the term "Agency" to explicitly include institutions of higher education, as well as the introduction of new definitions for "security breach" and "third-party agent." The bill mandates that any person or agency that owns or accesses personal information must implement reasonable security procedures to safeguard that information. In the event of a suspected security breach, the responsible entity is required to conduct a prompt investigation to assess the breach's nature and scope.

Additionally, the bill revises the notification process for security breaches, imposing new requirements on third-party agents to notify affected individuals or agencies without unreasonable delay. It establishes a timeline for notification within 45 days of determining a breach and outlines the content and format of notifications. The bill removes the provision for a civil fine of up to $250 for failure to provide notice and clarifies that aggregate liability for multiple violations from the same breach shall not exceed $750,000. It also grants the attorney general enhanced authority to investigate violations, including the ability to issue demands for documents and testimony, and establishes penalties for non-compliance. Overall, the bill aims to streamline the legal framework surrounding security breach notifications and enforcement while ensuring better protection of personal information.

Statutes affected:
Senate Introduced Bill: 445.63
As Passed by the Senate: 445.63