This bill establishes requirements, standards, and collaborative requirements
for entities that own, control, and share personal data. The bill governs three types
of data controllers: 1) data owners, meaning any person that generates, collects, or
uses data for its own purposes; 2) data custodians, meaning any person that provides
data security and storage on behalf of a data owner; and 3) data stewards, meaning
any person that uses or facilitates the use of data on behalf of a data owner.

Data is defined in the bill as including “sensitive information,” which is defined
as information that, if disclosed or accessed by unauthorized parties, could result in
harm, privacy violations, or negative consequences for individuals or entities.
“Sensitive information” includes “personally identifiable information,” meaning
information that is or can reasonably be linked to an identified person, identifiable
person, or device linked to a person, and “nonpublic or privately held information,”
meaning information that is not publicly available or accessible to the general public;
is restricted to a specific group of individuals or entities; is considered confidential
or proprietary; is protected by privacy regulations; and requires appropriate
safeguards to prevent unauthorized access, use, or disclosure. The requirements of
the bill apply to data controllers who use or facilitate the use of sensitive information.

Under the bill, a data owner must limit the access to, sharing of, and use of its
data to what is adequate, relevant, and reasonably necessary for the purposes for
which the data is collected or generated. A data owner must also establish and

---

ensure compliance with relevant regulatory requirements and with internal policies
related to the review of data sharing and data use requests; data handling best
practices; and the handling of data agreement breaches, security incidents, and
related disputes.

Under the bill, a data custodian must provide a secure environment for the
storage of a data owner's data that is designed and configured in a manner that
reflects best practices in data security on subjects including identity and access
management controls, role-based permissions, data encryption, cyber security
threat monitoring, and recovery capabilities in the event of a disaster. A data
custodian must also establish and ensure compliance with internal policies and
procedures related to data access control, data retention and data destruction,
auditing capabilities and the performance of audits, the periodic review of new and
changing business and regulatory requirements that may impact data solution
organization, and any other requirements established in a data agreement. A data
custodian must also establish and ensure compliance with internal policies and
procedures related to security incidents and auditing.

Under the bill, a data steward must establish and ensure compliance with
internal policies and procedures related to various data handling practices.

If a data owner enters into an agreement with a data custodian or a data
steward, the agreement must meet the requirements described in the bill. Such an
agreement must identify all relevant parties, data sets, permitted uses and
restrictions of data, confidentiality requirements, law governing the data, and law
governing the agreement. Such an agreement must also include statements
regarding the response to security incidents, the term of the agreement, the terms
for terminating the agreement, and the authorization for or prohibition of the
collection and analysis of metadata, or data that describes other data. Such an
agreement between a data owner and a data custodian must include statements
regarding auditing capabilities and requirements.