Bill > H6346

This bill amends the Identity Theft Protection Act of 2015 by making several significant changes to data protection and cybersecurity regulations. The bill eliminates the existing definitions of "classified data" and "personal information" and replaces them with a new, broader definition of "personally identifiable information" that includes direct and indirect identifiers, biometric data, and internet data. The bill requires municipal and state agencies, as well as other entities that handle sensitive information, to implement and maintain a risk-based information security program that meets current industry best practices, with specific requirements for protecting data in transit and at rest. The legislation increases penalties for violations, raising the fine for reckless violations from $100 to $1,000 per record and for knowing and willful violations from $200 to $2,000 per record. Additionally, the bill introduces new notification requirements, mandating that agencies report cybersecurity incidents to state police within 24 hours and provide an annual update to the division of enterprise technology strategy and services (ETSS). The bill aims to strengthen data protection measures, improve incident reporting, and provide more comprehensive safeguards for individuals' personal information.