The bill amends the Identity Theft Protection Act of 2004 to enhance the protection of personal information through several key updates and new provisions. It redefines terms, such as "Agency," to explicitly include institutions of higher education, and requires individuals and agencies to implement reasonable security procedures to safeguard personal information. These procedures involve identifying risks, assessing the effectiveness of safeguards, and ensuring service providers comply with recognized cybersecurity frameworks. In the event of a security breach, the bill mandates prompt investigations and notifications to affected individuals, clarifying the responsibilities of third-party agents to notify data owners without unreasonable delay.

Additionally, the bill specifies the notification process for security breaches, requiring notice to affected residents and the attorney general if unencrypted personal information is accessed by unauthorized individuals, particularly when the breach affects 100 or more residents. It allows for electronic communication for notifications under certain conditions and outlines the required content of the notice, including information on identity theft prevention services. The bill also introduces enforcement amendments, stating that assurances of discontinuance do not imply guilt and can include stipulations for voluntary payments and restitution. It enhances the Attorney General's authority to issue demands for information and seek civil actions for violations, while repealing certain sections to streamline the enforcement process.

Statutes affected:
Senate Introduced Bill: 445.63