| 1 | Representative Waters offered the following: |
| 2 |
|
| 3 | Amendment |
| 4 | Remove lines 368-408 and insert: |
| 5 | (c) The administrative sanctions for failure to notify |
| 6 | provided in this subsection shall apply per breach and not per |
| 7 | individual affected by the breach. |
| 8 | (d) The administrative sanctions for failure to notify |
| 9 | provided in this subsection shall not apply in the case of |
| 10 | personal information in the custody of any governmental agency |
| 11 | or subdivision, unless that governmental agency or subdivision |
| 12 | has entered into a contract with a contractor or third-party |
| 13 | administrator to provide governmental services. In such case, |
| 14 | the contractor or third-party administrator shall be a person to |
| 15 | whom the administrative sanctions provided in this subsection |
| 16 | would apply, although such contractor or third-party |
| 17 | administrator found in violation of the notification |
| 18 | requirements provided in this subsection would not have an |
| 19 | action for contribution or set-off available against the |
| 20 | employing agency or subdivision. |
| 21 | (2)(a) Any person who maintains computerized data that |
| 22 | includes personal information on behalf of another business |
| 23 | entity shall disclose to the business entity for which the |
| 24 | information is maintained any breach of the security of the |
| 25 | system as soon as practicable, but no later than 10 days |
| 26 | following the determination, if the personal information was, or |
| 27 | is reasonably believed to have been, acquired by an unauthorized |
| 28 | person. The person who maintains the data on behalf of another |
| 29 | business entity and the business entity on whose behalf the data |
| 30 | is maintained may agree who will provide the notice, if any is |
| 31 | required, as provided in paragraph (1)(a), provided only a |
| 32 | single notice for each breach of the security of the system |
| 33 | shall be required. If agreement regarding notification cannot be |
| 34 | reached, the person who has the direct business relationship |
| 35 | with the resident of this state shall be subject to the |
| 36 | provisions of paragraph (1)(a). |
| 37 | (b) Any person required to disclose to a business entity |
| 38 | under paragraph (a) who fails to do so within 10 days after the |
| 39 | determination of a breach or receipt of notification from law |
| 40 | enforcement as provided in subsection (3) is liable for an |
| 41 | administrative fine not to exceed $500,000, as follows: |
| 42 | 1. In the amount of $1,000 for each day the breach goes |
| 43 | undisclosed for up to 30 days and, thereafter, $50,000 for each |
| 44 | 30-day period or portion thereof for up to 180 days. |
| 45 | 2. If disclosure is not made within 180 days, any person |
| 46 | required to make disclosures under paragraph (a) who fails to do |
| 47 | so is subject to an administrative fine of up to $500,000. |
| 48 | (c) The administrative sanctions for nondisclosure |
| 49 | provided in this subsection shall apply per breach and not per |
| 50 | individual affected by the breach. |
| 51 | (d) The administrative sanctions for nondisclosure |