(a) Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.

(b) Any person who collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published or publicly displayed. For purposes of this subsection, “publicly displayed” includes, but is not limited to, posting on an Internet web page. Such policy shall: (1) Protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

(c) As used in this section, (1) “personal information” means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number, a health insurance identification number or any military identification information, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media, and (2) “military identification information” means information identifying a person as a member of the armed forces, as defined in § 27-103, or a veteran, as defined in said section, including, but not limited to, a selective service number, military identification number, discharge document, military identification card or military retiree identification card.

(d) For persons who hold a license, registration or certificate issued by, or a charter subject to the supervision of, a state agency other than the Department of Consumer Protection, this section shall be enforceable only by such other state agency pursuant to such other state agency’s existing statutory and regulatory authority.

(e) Any person or entity that violates the provisions of this section shall be subject to a civil penalty of five hundred dollars for each violation, provided such civil penalty shall not exceed five hundred thousand dollars for any single event. It shall not be a violation of this section if such violation was unintentional.

(f) The provisions of this section shall not apply to any agency or political subdivision of the state.

(g) If a financial institution has adopted safeguards that comply with the standards established pursuant to Section 501(b) of the Gramm-Leach-Bliley Act of 1999, 15 USC 6801, then such compliance shall constitute compliance with the provisions of this section.

(h) Any civil penalties received pursuant to this section shall be deposited into the privacy protection guaranty and enforcement account established pursuant to § 42-472a.