The bill amends the Security Breach Notification Act by updating definitions, modifying the duty to disclose breaches, and clarifying the notice requirements for individuals and entities that experience a security breach involving personal information. Key changes include the requirement for entities to provide notice to the Attorney General within 60 days of notifying affected residents, with specific exemptions for breaches affecting fewer than 500 or 1,000 residents, depending on the type of entity. The bill also introduces new definitions, such as "reasonable safeguards," and modifies the civil penalties for violations, allowing for a defense against penalties if reasonable safeguards were in place.

Additionally, the bill updates statutory language and references, ensuring compliance with the revised notification requirements. It specifies that violations resulting in injury or loss may be enforced by the Attorney General or district attorneys, with penalties based on the severity of the breach. The act will take effect on January 1, 2026, aligning the enforcement of these provisions with the updated legal framework.