(1) For purposes of this section:

(a) Cybersecurity event means an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system;

(b) Information system means:

(i) A discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information; or

(ii) A specialized system, including an industrial or process control system, a telephone switching and private branch exchange system, and an environmental control system;

(c) Nonpublic information means information that is not publicly available and concerns a person that, because of a name, number, personal mark, or other identifier, can be used to identify such person, in combination with the following:

(i) A social security number;

(ii) A driver's license number or state identification card number;

(iii) A financial account number or credit or debit card number;

(iv) A security code, access code, or password that would permit access to such person's financial accounts; or

(v) Any biometric record;

(d) Private entity means a corporation, religious or charitable organization, association, partnership, limited liability company, limited liability partnership, or other private business entity, whether organized for-profit or not-for-profit; and

(e) Publicly available information means information that is lawfully made available through federal, state, or local government records or information that a private entity has a reasonable basis to believe is lawfully made available to the general public.

(2) A private entity shall not be liable in a class action resulting from a cybersecurity event unless the cybersecurity event was caused by willful, wanton, or gross negligence on the part of the private entity.