The bill amends the Breach of Personal Information Notification Act to strengthen protections for personal information and update definitions related to data breaches. Key changes include the introduction of new definitions for terms such as "access device," "financial institution," and "identity theft," while clarifying the definition of "breach of the security of the system." The bill removes the previous provision that allowed good faith acquisition of personal information by employees to not be considered a breach, now specifying that such actions are not breaches only if the information is not used unlawfully or disclosed further. Additionally, it mandates that entities implement reasonable procedures to protect personal information and outlines civil relief for financial institutions affected by data breaches.

The bill also modifies the notification process for breaches, requiring timely notification to affected residents and allowing for a three-day delay if advised by law enforcement. It repeals previous provisions related to civil relief under the Unfair Trade Practices and Consumer Protection Law and introduces new sections that mandate the protection of personal information, including reimbursement obligations for entities in the event of a data breach. Furthermore, it enhances civil relief for residents affected by violations, allowing them to recover damages with a minimum of $5,000 per violation, and empowers the Attorney General to impose penalties. The bill establishes a three-year limitation period for actions and ensures that multiple violations from a single act count as one violation, while also prohibiting the retention of certain sensitive data after transaction authorization.

Statutes/Laws affected:
Printer's No. 1086 (Mar 24, 2025): P.L.474, No.94, P.L.1224, No.387
Printer's No. 1621 (May 06, 2025): P.L.474, No.94, P.L.1224, No.387
Printer's No. 1086: P.L.474, No.94, P.L.1224, No.387