Bill > S1860

Introduced Session

This bill creates an affirmative defense for breaches of security of personal and restricted information, as those terms are defined in the bill. The bill requires that if a covered entity, as that term is defined in the bill, seeks an affirmative defense to a breach of security, it is to have created, maintained, and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information or restricted information, or both, and that reasonably conforms to an industry recognized cybersecurity framework. A covered entity's cybersecurity program is to be designed to protect against the following: 1) breaches of the security and confidentiality of personal information, restricted information, or both; 2) any anticipated threats or hazards to the security or integrity of personal information, restricted information, or both; and 3) unauthorized access to and acquisition of personal information, restricted information, or both that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates. The bill requires that the scale and scope of a covered entity's cybersecurity program is to be based on all of the following factors: 1) the size and complexity of the covered entity; 2) the nature and scope of the activities of the covered entity; 3) the sensitivity of the information to be protected; 4) the cost and availability of tools to improve information security and reduce vulnerabilities; and 5) the resources available to the covered entity. The bill permits the Director of the Division of Consumer Affairs in the Department of Law and Public Safety (director) to deem a covered entity's cybersecurity program, required by the bill, to reasonably conform to an industry recognized cybersecurity framework if the covered entity's cybersecurity program reasonably conforms to any of the cybersecurity frameworks or provisions of law enumerated in the bill. A determination of reasonable conformance by the director is to be considered by a court as evidence in order to determine whether the covered entity is entitled to an affirmative defense. A covered entity may raise the affirmative defense in court without the director's determination of reasonable conformance. Absent the director's determination of reasonable conformance, the court may determine reasonable conformance pursuant to the standards set forth in the bill. The provisions of the bill are not to be construed to provide a private right of action, including a class action, with respect to any practice regulated under the bill.

AI Summary

Committee Categories

Tony Bucco (R)*, 

Introduced in the Senate, Referred to Senate Economic Growth Committee (on 02/28/2022)

Official Document