(a) A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.
(b) A business shall destroy or arrange for the destruction of customer records containing sensitive personal information within the business’s custody or control that are not to be retained by the business by:
(1) shredding;
(2) erasing; or
(3) otherwise modifying the sensitive personal information in the records to make the information unreadable or indecipherable through any means.

(c) This section does not apply to a financial institution as defined by 15 U.S.C. § 6809.
(d) As used in this section, “business” includes a nonprofit athletic or sports association.