2022 -- H 7565 | |
======== | |
LC004754 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2022 | |
____________ | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 | |
| |
Introduced By: Representatives Phillips, McEntee, Ajello, Serpa, Corvese, Edwards, | |
Date Introduced: February 18, 2022 | |
Referred To: House Judiciary | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Section 11-49.3-4 of the General Laws in Chapter 11-49.3 entitled "Identity |
2 | Theft Protection Act of 2015" is hereby amended to read as follows: |
3 | 11-49.3-4. Notification of breach. |
4 | (a)(1) Any municipal agency, state agency, or any other person or entity that stores, owns, |
5 | collects, processes, maintains, acquires, uses, or licenses data, or any agency, entity, or person that |
6 | maintains or stores, but does not own or license, data that includes personal information shall |
7 | provide notification as set forth in this section of any disclosure of personal information, or any |
8 | breach of the security of the system, that poses a significant risk of identity theft to any resident of |
9 | Rhode Island whose personal information was, or is reasonably believed to have been, acquired by |
10 | an unauthorized person or entity. In addition to providing notice as required in this section, the |
11 | municipal agency, state agency, or any other person or entity shall cooperate with the owner or |
12 | licensor of such information. Such cooperation shall include, but not be limited to, informing the |
13 | owner or licensor of the breach of security, the date and approximate time of the breach, and any |
14 | steps taken related to minimizing the breach upon discovery. Cooperation shall not include the |
15 | requirement that any agency, public or private entity or other person disclose confidential business |
16 | information or trade secrets. |
17 | (2) The notification shall be made in the most expedient time possible and without |
18 | unreasonable delay, but no later than forty-five (45) calendar days after the municipal agency, state |
19 | agency or other person or entity knows or has reason to know of the breach, knows or has reason |
| |
1 | to know that any personal information has been acquired or used by an unauthorized person or |
2 | entity, and/or upon confirmation of the breach and the ability to ascertain the information required |
3 | to fulfill the notice requirements contained in subsection (d) of this section, and shall be consistent |
4 | with the legitimate needs of law enforcement as provided in subsection (c) of this section. In the |
5 | event that more than five hundred (500) Rhode Island residents are to be notified, the The municipal |
6 | agency, state agency, or person shall notify the attorney general, the department of business |
7 | regulation, and the major credit reporting agencies as to the timing, content, and distribution of the |
8 | notices and the approximate number of affected individuals. Notification to the attorney general, |
9 | the department of business regulation, and the major credit reporting agencies shall be made |
10 | without delaying notice to affected Rhode Island residents. Notice to the attorney general, the |
11 | department of business regulation, and major credit reporting agencies shall include the nature of |
12 | the breach of security or unauthorized acquisition, the number of people affected by the incident, |
13 | the name and address of the agency, person or entity that experienced the breach of security, the |
14 | name and address of the agency, person or entity reporting the breach of security, the person |
15 | responsible for committing the breach, if known and the type of personal information compromised, |
16 | including, but not limited to, social security numbers, bank account numbers, credit/debit card |
17 | numbers or any other information that may have the potential to impact any person’s privacy or |
18 | financial security. |
19 | (b) The notification required by this section may be delayed if a federal, state, or local law |
20 | enforcement agency determines that the notification will impede a criminal investigation. The |
21 | federal, state, or local law enforcement agency must notify the municipal agency, state agency, or |
22 | person of the request to delay notification without unreasonable delay. If notice is delayed due to |
23 | such determination, then, as soon as the federal, state, or municipal law enforcement agency |
24 | determines and informs the municipal agency, state agency, or person that notification no longer |
25 | poses a risk of impeding an investigation, notice shall be provided as soon as practicable pursuant |
26 | to subsection (a)(2). The municipal agency, state agency, or person shall cooperate with federal, |
27 | state, or municipal law enforcement in its investigation of any breach of security or unauthorized |
28 | acquisition or use, which shall include the sharing of information relevant to the incident; provided |
29 | however, that such disclosure shall not require the disclosure of confidential business information |
30 | or trade secrets. |
31 | (c) Any municipal agency, state agency, or person required to make notification under this |
32 | section and fails to do so is liable for a violation as set forth in § 11-49.3-5. |
33 | (d) The notification to individuals must include the following information to the extent |
34 | known: |
| LC004754 - Page 2 of 4 |
1 | (1) A general and brief description of the incident, including how the security breach |
2 | occurred and the number of affected individuals; |
3 | (2) The type of information that was subject to the breach; |
4 | (3) Date of breach, estimated date of breach, or the date range within which the breach |
5 | occurred; |
6 | (4) Date that the breach was discovered; |
7 | (5) A clear and concise description of any remediation services offered to affected |
8 | individuals including toll free numbers and websites to contact: (i) The credit reporting agencies; |
9 | (ii) Remediation service providers; (iii) The attorney general; and |
10 | (6) A clear and concise description of the consumer's ability to file or obtain a police report; |
11 | how a consumer requests a security freeze and the necessary information to be provided when |
12 | requesting the security freeze; and that no fees may be required to be paid to the consumer reporting |
13 | agencies when any person requesting a security freeze does so as a result of any breach. |
14 | SECTION 2. This act shall take effect upon passage. |
======== | |
LC004754 | |
======== | |
| LC004754 - Page 3 of 4 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 | |
*** | |
1 | This act would expand the responsibilities of those municipal or state agencies or any other |
2 | person or entity that stores, owns, collects, processes, maintains, acquires, uses, or licenses data, |
3 | who experiences a security breach. The responsibilities would include providing additional |
4 | information to persons affected and providing additional cooperation and information to law |
5 | enforcement and the department of business regulation. |
6 | This act would take effect upon passage. |
======== | |
LC004754 | |
======== | |
| LC004754 - Page 4 of 4 |