2022 -- H 7566 | |
======== | |
LC004818 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2022 | |
____________ | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES -- INDENTITY THEFT PROTECTION ACT OF | |
2015 | |
| |
Introduced By: Representatives Ackerman, Shekarchi, and Filippi | |
Date Introduced: February 18, 2022 | |
Referred To: House Judiciary | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Section 11-49.3-3 of the General Laws in Chapter 11-49.3 entitled "Identity |
2 | Theft Protection Act of 2015" is hereby amended to read as follows: |
3 | 11-49.3-3. Definitions. |
4 | (a) The following definitions apply to this section: |
5 | (1) "Breach of the security of the system" means unauthorized access or acquisition of |
6 | unencrypted, computerized data information that compromises the security, confidentiality, or |
7 | integrity of personal information maintained by the municipal agency, state agency, or person. |
8 | Good-faith acquisition of personal information by an employee or agent of the agency for the |
9 | purposes of the agency is not a breach of the security of the system; provided, that the personal |
10 | information is not used or subject to further unauthorized disclosure. |
11 | (2) "Encrypted" means the transformation of data through the use of a one hundred twenty- |
12 | eight (128) bit or higher algorithmic process into a form in which there is a low probability of |
13 | assigning meaning without use of a confidential process or key. Data shall not be considered to be |
14 | encrypted if it is acquired in combination with any key, security code, or password that would |
15 | permit access to the encrypted data. |
16 | (3) "Health insurance information" means an individual's health insurance policy number, |
17 | subscriber identification number, or any unique identifier used by a health insurer to identify the |
18 | individual. |
| |
1 | (4) "Medical information" means any information regarding an individual's medical |
2 | history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional |
3 | or provider. |
4 | (5) "Municipal agency" means any department, division, agency, commission, board, |
5 | office, bureau, authority, quasi-public authority, or school, fire, or water district within Rhode |
6 | Island, other than a state agency, and any other agency that is in any branch of municipal |
7 | government and exercises governmental functions other than in an advisory nature. |
8 | (6) "Owner" means the original collector of the information. |
9 | (7) "Person" shall include any individual, sole proprietorship, partnership, association, |
10 | corporation, joint venture, business, legal entity, trust, estate, cooperative, or other commercial |
11 | entity. |
12 | (8) "Personal information" means an individual's first name or first initial and last name in |
13 | combination with any one or more of the following data elements, when the name and the data |
14 | elements are not encrypted or are in hard copy, paper format: |
15 | (i) Social security number; |
16 | (ii) Driver's license number, Rhode Island identification card number, or tribal |
17 | identification number; |
18 | (iii) Account number, credit, or debit card number, in combination with any required |
19 | security code, access code, password, or personal identification number, that would permit access |
20 | to an individual's financial account; |
21 | (iv) Medical or health insurance information; or |
22 | (v) E-mail address with any required security code, access code, or password that would |
23 | permit access to an individual's personal, medical, insurance, or financial account.; or |
24 | (vi) Any information concerning a natural person which, because of name, number, |
25 | personal mark, or other identifier, can be used to identify such natural person. |
26 | (9) "Remediation service provider" means any person who or that, in the usual course of |
27 | business, provides services pertaining to a consumer credit report including, but not limited to, |
28 | credit report monitoring and alerts, that are intended to mitigate the potential for identity theft. |
29 | (10) "State agency" means any department, division, agency, commission, board, office, |
30 | bureau, authority, or quasi-public authority within Rhode Island; either branch of the Rhode Island |
31 | general assembly or an agency or committee thereof; the judiciary; or any other agency that is in |
32 | any branch of Rhode Island state government and that exercises governmental functions other than |
33 | in an advisory nature. |
34 | (b) For purposes of this section, personal information does not include publicly available |
| LC004818 - Page 2 of 4 |
1 | information that is lawfully made available to the general public from federal, state, or local |
2 | government records. |
3 | (c) For purposes of this section, "notice" may be provided by one of the following methods: |
4 | (i) Written notice; |
5 | (ii) Electronic notice, if the notice provided is consistent with the provisions regarding |
6 | electronic records and signatures set forth in 15 U.S.C. § 7001; or |
7 | (iii) Substitute notice, if the municipal agency, state agency, or person demonstrates that |
8 | the cost of providing notice would exceed twenty-five thousand dollars ($25,000), or that the |
9 | affected class of subject persons to be notified exceeds fifty thousand (50,000), or the municipal |
10 | agency, state agency, or person does not have sufficient contact information. Substitute notice shall |
11 | consist of all of the following: |
12 | (A) E-mail notice when the municipal agency, state agency, or person has an e-mail address |
13 | for the subject persons; |
14 | (B) Conspicuous posting of the notice on the municipal agency's, state agency's or person's |
15 | website page, if the municipal agency, state agency, or person maintains one; and |
16 | (C) Notification to major statewide media. |
17 | SECTION 2. This act shall take effect upon passage. |
======== | |
LC004818 | |
======== | |
| LC004818 - Page 3 of 4 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES -- INDENTITY THEFT PROTECTION ACT OF | |
2015 | |
*** | |
1 | This act would expand the definition of "personal information" to include a catchall |
2 | category, ensuring the ever-changing forms of personal information that can be used to commit |
3 | identity theft are protected. These other forms of personal information include biometric data, ITIN |
4 | numbers, passport numbers, or any range of data that "can be used to identify" a person. Hacks and |
5 | breaches impacting consumers who have provided a business or governmental entity with these |
6 | additional forms of data would trigger the breach notification provisions in § 11-49.3-4 and the |
7 | risk-based information security program provisions in § 11-49.3-2. |
8 | This act would take effect upon passage. |
======== | |
LC004818 | |
======== | |
| LC004818 - Page 4 of 4 |