2018 -- H 7387 | |
======== | |
LC003884 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2018 | |
____________ | |
A N A C T | |
RELATING TO STATE AFFAIRS AND GOVERNMENT - BREACH OF PERSONAL | |
INFORMATION NOTIFICATION ACT | |
| |
Introduced By: Representatives Filippi, Edwards, Solomon, Marshall, and Giarrusso | |
Date Introduced: February 01, 2018 | |
Referred To: House Judiciary | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 42 of the General Laws entitled "STATE AFFAIRS AND |
2 | GOVERNMENT" is hereby amended by adding thereto the following chapter: |
3 | CHAPTER 127.2 |
4 | BREACH OF PERSONAL INFORMATION NOTIFICATION ACT |
5 | 42-127.2-1. Purpose. |
6 | The intent of the general assembly is to help ensure that the personal information of |
7 | residents of this state is protected by providing procedures for notification of security breaches |
8 | related to personal information and thereby encouraging individuals and commercial entities, as |
9 | defined in this chapter, to provide reasonable security for unencrypted personal information. |
10 | 42-127.2-2. Definitions. |
11 | As used in this chapter: |
12 | (1) "Breach of the security of a system" means the unauthorized access and acquisition of |
13 | unencrypted and unredacted computerized data that compromises the security or confidentiality |
14 | of personal information maintained by an individual or entity as part of a database of personal |
15 | information regarding multiple individuals and that causes, or the individual or entity reasonably |
16 | believes has caused, or will cause identity theft or other fraud to any resident of this state. |
17 | (i) Good faith acquisition of personal information by an employee or agent of an |
18 | individual or entity for the purposes of the individual or the entity is not a breach of the security |
| |
1 | of the system, provided that the personal information is not used for a purpose other than a lawful |
2 | purpose of the individual or entity or subject to further unauthorized disclosure. |
3 | (2) "Encrypted" means transformation of data through the use of an algorithmic process |
4 | into a form in which there is a low probability of assigning meaning without use of a confidential |
5 | process or key, or securing the information by another method that renders the data elements |
6 | unreadable or unusable. |
7 | (3) "Entity" includes corporations, business trusts, estates, partnerships, limited |
8 | partnerships, limited liability partnerships, limited liability companies, associations, |
9 | organizations, joint ventures, governments, governmental subdivisions, agencies, or |
10 | instrumentalities, or any other legal entity, whether for profit or not-for-profit. |
11 | (4) "Financial institution" has the meaning given that term in 15 U.S.C. ยง 68093. |
12 | (5) "Individual" means a natural person. |
13 | (6) "Notice" means: |
14 | (i) Written notice to the postal address in the records of the individual or entity; |
15 | (ii) Telephone notice; |
16 | (iii) Electronic notice; or |
17 | (iv) Substitute notice, if the individual or the entity required to provide notice |
18 | demonstrates that the cost of providing notice will exceed fifty thousand dollars ($50,000) or that |
19 | the affected class of residents to be notified exceeds one hundred thousand (100,000) persons, or |
20 | that the individual or the entity does not have sufficient contact information or consent to provide |
21 | notice as described in subsections (i), (ii) or (iii) of this section. Substitute notice consists of any |
22 | two (2) of the following: |
23 | (A) Email notice if the individual or the entity has email addresses for the members of the |
24 | affected class of residents; and |
25 | (B) Conspicuous posting of the notice on the website of the individual or the entity if the |
26 | individual or the commercial entity maintains a website; and |
27 | (C) Notice to major statewide media. |
28 | (7) "Personal information" means the first name or first initial and last name in |
29 | combination with and linked to any one or more of the following data elements that relate to a |
30 | resident of this state, when the data elements are neither encrypted nor redacted: |
31 | (i) Social security number; |
32 | (ii) Driver's license number or state identification card number issued in lieu of a driver's |
33 | license; or |
34 | (iii) Financial account number, or credit card or debit card number, in combination with |
| LC003884 - Page 2 of 6 |
1 | any required security code, access code, or password that would permit access to a resident's |
2 | financial accounts. |
3 | (iv) The term does not include information that is lawfully obtained from publicly |
4 | available information, or from federal, state, or local government records lawfully made available |
5 | to the general public. |
6 | (8) "Redact" means alteration or truncation of data such that no more than the following |
7 | are accessible as part of the personal information; |
8 | (i) Five (5) digits of a social security number; or |
9 | (ii) The last four (4) digits of a driver's license number, state identification card number |
10 | or account number. |
11 | 42-127.2-3. Disclosure of breach of security of computerized personal information |
12 | by an individual or entity. |
13 | (a) General rule. An individual or entity that owns or licenses computerized data that |
14 | includes personal information shall disclose any breach of the security of the system following |
15 | discovery or notification of the breach of the security of the system to any resident of this state |
16 | whose unencrypted and unredacted personal information was or is reasonably believed to have |
17 | been accessed and acquired by an unauthorized person and that causes, or the individual or entity |
18 | reasonably believes has caused or will cause, identity, theft or other fraud to any resident of this |
19 | state. Except as provided in subsection (d) of this section or in order to take any measures |
20 | necessary to determine the scope of the breach and to restore the reasonable integrity of the |
21 | system, the disclosure shall be made without unreasonable delay. |
22 | (b) Encrypted information. An individual or entity must disclose the breach of the |
23 | security of the system if encrypted information is accessed and acquired in an unencrypted form, |
24 | or if the security breach involves a person with access to the encryption key and the individual or |
25 | entity reasonably believes that such breach has caused or will cause identity theft or other fraud to |
26 | any resident of this state. |
27 | (c) An individual or entity that maintains computerized data that includes personal |
28 | information that the individual or entity does not own or license shall notify the owner or licensee |
29 | of the information of any breach of the security of the system as soon as practicable following |
30 | discovery, if the personal information was or the entity reasonably believes was accessed and |
31 | acquired by an unauthorized person. |
32 | (d) Notice required by this section may be delayed if a law enforcement agency |
33 | determines and advises the individual or entity that the notice will impede a criminal or civil |
34 | investigation, or homeland or national security. Notice required by this section must be made |
| LC003884 - Page 3 of 6 |
1 | without unreasonable delay after the law enforcement agency determines that notification will no |
2 | longer impede the investigation or jeopardize national or homeland security. |
3 | 42-127.2-4. Procedures deemed in compliance with security breach requirements. |
4 | (a) Information privacy or security policy. An entity that maintains its own notification |
5 | procedures as part of an information privacy or security policy for the treatment of personal |
6 | information and that are consistent with the timing requirements of this chapter shall be deemed |
7 | to be in compliance with the notification requirements of this chapter if it notifies residents of this |
8 | state in accordance with its procedures in the event of a breach of security of the system. |
9 | (b) Compliance with federal requirements. |
10 | (1) A financial institution that complies with the notification requirements prescribed by |
11 | the federal interagency guidance on response programs for unauthorized access to customer |
12 | information and customer notice is deemed to be in compliance with this chapter. |
13 | (2) An entity that complies with the notification requirements or procedures pursuant to |
14 | the rules, regulation, procedures, or guidelines established by the entity's primary or functional |
15 | federal regulator shall be in compliance with this chapter. |
16 | 42-127.2-5. Violations. |
17 | (a) A violation of this chapter that results in injury or loss to residents of this state may be |
18 | enforced by the office of the attorney general as an unfair trade practice pursuant to chapter 13.1 |
19 | of title 6. |
20 | (b) Except as provided by subsection (c) of this section, the office of the attorney general |
21 | shall have exclusive authority to bring action and may obtain either actual damages for a violation |
22 | of this chapter or a civil penalty not to exceed one hundred fifty thousand dollars ($150,000) per |
23 | breach of the security of the system or series of breaches of a similar nature that are discovered in |
24 | a single investigation. |
25 | (c) A violation of this chapter by a state-chartered or licensed financial institution shall be |
26 | enforceable exclusively by the financial institutions' primary state regulator. |
27 | 42-127.2-6. Applicability. |
28 | This chapter shall apply to the discovery or notification of a breach of the security of the |
29 | system that occurs on or after the effective date of this chapter. |
30 | 42-127.2-7. Severability. |
31 | If any provision of this chapter or its application to any person or circumstance is held |
32 | invalid, the invalidity does not affect other provisions or applications of this chapter which can be |
33 | given effect without the invalid provision or application, and to this end the provisions of this |
34 | chapter are severable. |
| LC003884 - Page 4 of 6 |
1 | SECTION 2. This act shall take effect on July 1, 2018. |
======== | |
LC003884 | |
======== | |
| LC003884 - Page 5 of 6 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO STATE AFFAIRS AND GOVERNMENT - BREACH OF PERSONAL | |
INFORMATION NOTIFICATION ACT | |
*** | |
1 | This act would establish procedures to notify individuals of any breaches of their |
2 | unencrypted personal information and penalties for any violation. |
3 | This act would take effect on July 1, 2018. |
======== | |
LC003884 | |
======== | |
| LC003884 - Page 6 of 6 |