Committee amends breach law to limit private class actions, advances Security Breach bill

Senator Howard introduced and explained an amendment to Senate Bill 17 16 to replace the term "cybersecurity event" with "breach of the security of a system" and to conform other language across the act. "We wanted to make sure that the language was conforming with everywhere throughout the act," Howard said when explaining the change.

Howard said the amendment sits within the Security Breach Notification Act enacted last year, which delays full reporting until Jan. 1, 2026, and places primary enforcement authority with the attorney general and, where appropriate, district attorneys. He said industry asked to eliminate a private right to class action where businesses comply with reporting and reasonable standards, while preserving private suits for willful, wanton conduct or gross negligence.

"We're saying if you comply with reporting to the AG so that we have full investigations and that right to civil penalty, we are not allowing those private suits to go forward," Howard told the committee when describing the policy trade-off.

Committee members probed the distinction between a security-system breach and HIPAA violations, and Howard pointed the committee to definitions in the existing statute and to the act’s provisions on "reasonable standards" that vary by industry size and regulatory context.

Members asked whether the attorney general’s office has the staff and resources to enforce the reporting regime. Howard told the committee he did not recall a dedicated cybersecurity line item in the AG’s budget request and estimated an initial investigative team might be a small number of attorneys and several investigators to review incoming reports.

The amendment was adopted by the committee and the bill as amended was advanced on a roll-call vote of eight ayes and zero nays. The committee record signals further follow-up on definitions, the role of the AG, and implementation details for enforcement and staffing.