The law requires companies to offer up to three and a half years of free credit monitoring to victims of a breach. Groups suffering a breach also must disclose the breach in a timely manner and tell the state whether they have a written information security program.