Senate Bill 672 Summary

• Amends the Identity Theft Protection Act to add an affirmative defense for covered entities that implement reasonable cybersecurity programs conforming to industry-recognized standards.

• Covered entities can defend against tort claims for security breaches if they establish, maintain, and comply with a written cybersecurity program containing administrative, technical, and physical safeguards.

• Recognizes nine categories of industry-standard frameworks including NIST standards, CIS Controls, ISO/IEC 27000, HIPAA, Gramm-Leach-Bliley Act, and Payment Card Industry Data Security Standard.

• Requires cybersecurity programs to be proportionate to the covered entity's size, complexity, nature of activities, information sensitivity, available resources, and cost of security tools.

• Mandates third-party certification of cybersecurity programs aligned with recognized standards, with an exception for financial institutions subject to state or federal regulatory examination.