"Also, S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.'"
I think that the whole purpose of this is to cover things like storing passwords, etc., as hashed data. That's something I tried to get into Virginia's data breach law (and will probably give it a shot again this year), but try explaining the concept of "cryptographic hashes" to legislators who are mostly lawyers. Three guys on the subcommittee got it (engineers and tech guys), but it was WAY over everybody else's heads.
And it's not just the legislators. the LexisNexis lobbyist went ballistic over the idea until she talked to somebody in her IT department, because she didn't understand what was going on.
I understand what this language is supposed to do, but it's just poorly crafted.