The bill amends the Identity Theft Protection Act to enhance the protection of personal information by updating definitions and introducing new requirements for security procedures and breach notifications. Key changes include the clarification of the term "Agency" to explicitly include institutions of higher education, as well as the introduction of new definitions for "security breach" and "third-party agent." The bill mandates that any person or agency that owns or accesses personal information must implement reasonable security measures and conduct prompt investigations if a security breach is suspected. It also establishes a framework for compliance with recognized cybersecurity standards to ensure proactive measures are taken to protect personal data.

Additionally, the bill revises the notification process for security breaches, requiring third-party agents to notify affected individuals or agencies without unreasonable delay. It specifies that if a breach affects 100 or more residents, the attorney general must also be informed, along with detailed information about the breach. The bill outlines the content and format of required notices, establishes a 45-day timeline for notification, and includes penalties for fraudulent notifications and non-compliance. Notably, it removes the previous civil fine structure for failure to notify and clarifies that civil remedies for violations of state or federal law remain unaffected. The attorney general is empowered to demand compliance and can take civil action against those who fail to adhere to the act's requirements.

Statutes affected:
Senate Introduced Bill: 445.63
As Passed by the Senate: 445.63