The bill amends the Breach of Personal Information Notification Act to enhance protections for personal information and clarify the responsibilities of data-managing entities. Key changes include the introduction of definitions for terms such as "access device," "financial institution," and "identity theft," along with modifications to existing definitions. It specifies that a breach of security occurs when unauthorized access compromises the security or confidentiality of personal information. Additionally, it clarifies that good faith acquisition of personal information by an employee is not considered a breach if the information is not misused or disclosed further. The bill also mandates that entities implement reasonable procedures to prevent unauthorized access and provides civil relief for financial institutions affected by data breaches.

Moreover, the bill enhances civil relief for residents adversely affected by violations, allowing them to bring actions for damages with a minimum of $5,000 per violation. The Attorney General is empowered to act against violators, imposing penalties up to $10,000 per violation. It establishes a three-year limitation period for actions and ensures that residents' rights to legal action are not restricted by arbitration clauses in contracts. The bill also requires entities to implement reasonable security measures, prohibits the retention of sensitive card security information post-authorization, and allows financial institutions to recover costs incurred due to breaches. The previous applicability section of the act is repealed, and the new provisions will take effect 60 days after the bill's passage.

Statutes/Laws affected:
Printer's No. 1086 (Mar 24, 2025): P.L.474, No.94, P.L.1224, No.387
Printer's No. 1621 (May 06, 2025): P.L.474, No.94, P.L.1224, No.387
Printer's No. 2381 (Sep 30, 2025): P.L.474, No.94, P.L.1224, No.387
Printer's No. 1086: P.L.474, No.94, P.L.1224, No.387