The bill amends the Breach of Personal Information Notification Act to enhance protections for personal information and update definitions related to data breaches. Key changes include the introduction of new definitions such as "access device," "card security code," "financial institution," and "identity theft," while clarifying existing terms like "breach of the security of the system." The bill removes the previous exemption for good faith acquisition of personal information by employees, specifying that such actions are not considered a breach only if the information is not misused or disclosed further. Additionally, it mandates that entities implement reasonable procedures to protect personal information and outlines civil relief provisions for financial institutions affected by data breaches.

The bill also modifies notification requirements, stating that notice must be provided without unreasonable delay after a breach is discovered, with a possible three-day delay if law enforcement advises against immediate notification. It introduces enhanced civil relief for residents affected by violations, allowing them to seek damages and empowering the Attorney General to impose penalties on violators. The bill establishes a three-year limitation period for legal actions and prohibits arbitration clauses that restrict residents' rights to legal action. Furthermore, it requires entities managing personal information to implement reasonable security measures and holds them liable for breaches, including costs incurred by financial institutions. The new provisions will take effect 60 days after the bill's passage.

Statutes/Laws affected:
Printer's No. 1086 (Mar 24, 2025): P.L.474, No.94, P.L.1224, No.387
Printer's No. 1621 (May 06, 2025): P.L.474, No.94, P.L.1224, No.387
Printer's No. 1086: P.L.474, No.94, P.L.1224, No.387