Identity Theft bill

(This measure has not been amended since it was introduced. The summary has been expanded because action occurred on the measure.)

Notification of Risk to Personal Data Act - Requires any agency or person (agency) that owns or licenses computerized data containing sensitive personal information to: (1) implement and maintain reasonable security and notification procedures and practices to protect sensitive personal information from unauthorized access, destruction, use, modification, or disclosure; and (2) notify any U.S. resident whose sensitive personal information was compromised. Permits a federal law enforcement agency to delay notification if notification would impede an investigation.

Requires any agency in possession of computerized data containing sensitive personal information that it does not own or license to notify the entity from whom it received the information if the security of that information was compromised, resulting in a significant risk of identity theft.

Sets forth provisions regarding: (1) the timeliness of notification; (2) the methods and contents of notice; and (3) the duty to coordinate with consumer reporting agencies.

Declares that an agency that maintains notification procedures as part of an information security policy for the treatment of sensitive personal information and otherwise meets this Act's requirements shall be in compliance with this Act if the agency notifies subject persons in accordance with its policies in the event of a security breach.

Establishes civil remedies for failure to provide notice of a security breach.

Authorizes enforcement by state attorneys general on behalf of residents of the state.