The bill amends the Security Breach Notification Act by updating definitions, notification requirements, and enforcement provisions related to data breaches involving personal information. Key changes include the requirement for individuals or entities to provide notice of a security breach to affected residents and the Attorney General within specified timeframes. The bill also introduces exemptions for breaches affecting fewer than 500 residents and modifies the definitions of personal information and breach of security. Additionally, it establishes civil penalties for violations and outlines conditions under which entities may limit their liability.

The bill specifies that personal information must be unencrypted and unredacted to trigger notification requirements and clarifies that reasonable safeguards must be in place to protect personal information. It also updates statutory language and references, ensuring compliance with existing federal regulations. The act will take effect on January 1, 2026, and includes provisions for confidentiality of information submitted to the Attorney General. Overall, the amendments aim to enhance consumer protection and clarify the responsibilities of entities handling personal data.