HB 4187 Summary

• Establishes the "Data Breach Notification Act" requiring covered entities and third-party agents with more than 50 employees to implement reasonable security measures to protect sensitive personally identifying information.

• Mandates covered entities notify state residents within 45 days after discovering a breach of security involving unauthorized acquisition of sensitive personal information, with notice content including breach date, description of compromised information, and identity theft protection steps.

• Defines "sensitive personally identifying information" as name combined with Social Security number, government ID, financial account numbers with security codes, medical/mental health records, health insurance information, or email/username with passwords that could permit account access.

• Provides exceptions for entities complying with federal data breach notification laws, state insurance regulations, or equivalent state cybersecurity procedures, and preempts local municipal ordinances on data breach notification.

• Establishes civil penalties of up to $2,000 per violation or $5,000 per day of non-compliance (capped at $750,000 per breach), with enforcement authority vested exclusively in the Attorney General; takes effect January 20, 2022.