This bill mandates that any individual or business entity that owns or licenses personal information about New Jersey residents must establish and maintain a comprehensive information security program. The program must include administrative, technical, and physical safeguards tailored to the size and nature of the business, the resources available, the volume of data stored, and the need for confidentiality. Key components of the program include designating responsible employees, assessing risks to personal information, developing security policies, and ensuring oversight of third-party service providers. Additionally, the program must incorporate secure user authentication protocols, access control measures, encryption of data, and regular monitoring for unauthorized access.

Violations of this act are classified as unlawful practices under the New Jersey Consumer Fraud Act, with penalties including monetary fines of up to $10,000 for first offenses and $20,000 for subsequent offenses. The Attorney General may also issue cease and desist orders, and those harmed by violations may be entitled to punitive damages and treble damages. The act is set to take effect 120 days after its enactment.