2022 -- H 7883

========

LC004811

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2022

____________

A N   A C T

RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015

     

     Introduced By: Representatives Ruggiero, Craven, Hull, Williams, Morales, Ajello,
Carson, Cortvriend, Slater, and Baginski

     Date Introduced: March 04, 2022

     Referred To: House Innovation, Internet, & Technology

     It is enacted by the General Assembly as follows:

1

     SECTION 1. Chapter 11-49.3 of the General Laws entitled "Identity Theft Protection Act

2

of 2015" is hereby amended by adding thereto the following section:

3

     11-49.3-7. Cybersecurity incident response group.

4

     (a) The governor shall establish a cybersecurity incident response group, which shall

5

include the superintendent of the Rhode Island state police, or designee, adjutant general of the

6

Rhode Island national guard, or designee, director of the Rhode Island division of information

7

technology, or designee, director of the Rhode Island emergency management agency, or designee

8

and the secretary of state, or designee.

9

     (b) The cybersecurity incident response group shall:

10

     (1) Establish communication protocols in the event of a breach or an incident of

11

cybersecurity in any agency or public body. The protocols shall include, but not be limited to:

12

     (i) A list of potential cybersecurity breaches or incidents that would require reporting;

13

     (ii) State and local entities covered within the communication plan;

14

     (iii) Mechanisms to communicate a cybersecurity breach or incidents in a timely manner

15

to members of the public and other relevant parties who may be affected by the breach; and

16

     (iv) Primary contact at each agency or public body.

17

     (c) The cybersecurity incident response group shall also establish long-term policy

18

planning and goals for the state regarding evolving cybersecurity threats and how to address them

19

in a coordinated manner.

 

1

     (d) The cybersecurity incident response group shall be subject to chapter 46 of title 42,

2

("open meetings"), and chapter 2 of title 38, ("access to public records").

3

     SECTION 2. Sections 11-49.3-3 and 11-49.3-4 of the General Laws in Chapter 11-49.3

4

entitled "Identity Theft Protection Act of 2015" is hereby amended to read as follows:

5

     11-49.3-3. Definitions.

6

     (a) The following definitions apply to this section:

7

     (1) "Breach of the security of the system" means unauthorized access or acquisition of

8

unencrypted, computerized data information that compromises the security, confidentiality, or

9

integrity of personal information maintained by the municipal agency, state agency, or person.

10

Good-faith acquisition of personal information by an employee or agent of the agency for the

11

purposes of the agency is not a breach of the security of the system; provided, that the personal

12

information is not used or subject to further unauthorized disclosure.

13

     (2) "Encrypted" means the transformation of data through the use of a one hundred twenty-

14

eight (128) bit or higher algorithmic process into a form in which there is a low probability of

15

assigning meaning without use of a confidential process or key. Data shall not be considered to be

16

encrypted if it is acquired in combination with any key, security code, or password that would

17

permit access to the encrypted data.

18

     (3) "Health insurance information" means an individual's health insurance policy number,

19

subscriber identification number, or any unique identifier used by a health insurer to identify the

20

individual.

21

     (4) "Incident" means any action taken through the use of an information system or network

22

that results in an actual or potentially adverse effect on an information system, network, and/or the

23

information residing therein.

24

     (4)(5) "Medical information" means any information regarding an individual's medical

25

history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional

26

or provider.

27

     (5)(6) "Municipal agency" means any department, division, agency, commission, board,

28

office, bureau, authority, quasi-public authority, or school, fire, or water district within Rhode

29

Island, other than a state agency, and any other agency that is in any branch of municipal

30

government and exercises governmental functions other than in an advisory nature.

31

     (6)(7) "Owner" means the original collector of the information.

32

     (7)(8) "Person" shall include any individual, sole proprietorship, partnership, association,

33

corporation, joint venture, business, legal entity, trust, estate, cooperative, or other commercial

34

entity.

 

LC004811 - Page 2 of 6

1

     (8)(9) "Personal information" means an individual's first name or first initial and last name

2

in combination with any one or more of the following data elements, when the name and the data

3

elements are not encrypted or are in hard copy, paper format:

4

     (i) Social security number;

5

     (ii) Driver's license number, Rhode Island identification card number, or tribal

6

identification number;

7

     (iii) Account number, credit, or debit card number, in combination with any required

8

security code, access code, password, or personal identification number, that would permit access

9

to an individual's financial account;

10

     (iv) Medical or health insurance information; or

11

     (v) E-mail address with any required security code, access code, or password that would

12

permit access to an individual's personal, medical, insurance, or financial account.

13

     (9)(10) "Remediation service provider" means any person who or that, in the usual course

14

of business, provides services pertaining to a consumer credit report including, but not limited to,

15

credit report monitoring and alerts, that are intended to mitigate the potential for identity theft.

16

     (10)(11) "State agency" means any department, division, agency, commission, board,

17

office, bureau, authority, or quasi-public authority within Rhode Island; either branch of the Rhode

18

Island general assembly or an agency or committee thereof; the judiciary; or any other agency that

19

is in any branch of Rhode Island state government and that exercises governmental functions other

20

than in an advisory nature.

21

     (b) For purposes of this section, personal information does not include publicly available

22

information that is lawfully made available to the general public from federal, state, or local

23

government records.

24

     (c) For purposes of this section, "notice" may be provided by one of the following methods:

25

     (i) Written notice;

26

     (ii) Electronic notice, if the notice provided is consistent with the provisions regarding

27

electronic records and signatures set forth in 15 U.S.C. § 7001; or

28

     (iii) Substitute notice, if the municipal agency, state agency, or person demonstrates that

29

the cost of providing notice would exceed twenty-five thousand dollars ($25,000), or that the

30

affected class of subject persons to be notified exceeds fifty thousand (50,000), or the municipal

31

agency, state agency, or person does not have sufficient contact information. Substitute notice shall

32

consist of all of the following:

33

     (A) E-mail notice when the municipal agency, state agency, or person has an e-mail address

34

for the subject persons;

 

LC004811 - Page 3 of 6

1

     (B) Conspicuous posting of the notice on the municipal agency's, state agency's or person's

2

website page, if the municipal agency, state agency, or person maintains one; and

3

     (C) Notification to major statewide media.

4

     11-49.3-4. Notification of breach.

5

     (a)(1) Any municipal agency, state agency, or person that stores, owns, collects, processes,

6

maintains, acquires, uses, or licenses data that includes personal information shall provide

7

notification as set forth in this section of any disclosure of personal information, or any breach of

8

the security of the system, that poses a significant risk of identity theft to any resident of Rhode

9

Island whose personal information was, or is reasonably believed to have been, acquired by an

10

unauthorized person or entity.

11

     (2) The notification shall be made in the most expedient time possible, but no later than

12

forty-five (45) calendar days after confirmation of the breach and the ability to ascertain the

13

information required to fulfill the notice requirements contained in subsection (d) of this section,

14

and shall be consistent with the legitimate needs of law enforcement as provided in subsection (c)

15

of this section. In the event that more than five hundred (500) Rhode Island residents are to be

16

notified, the municipal agency, state agency, or person shall notify the attorney general and the

17

major credit reporting agencies as to the timing, content, and distribution of the notices and the

18

approximate number of affected individuals. Notification to the attorney general and the major

19

credit reporting agencies shall be made without delaying notice to affected Rhode Island residents.

20

     (2) An initial notification shall be made in the most expedient time possible, but no later

21

than twenty-four (24) hours after confirmation of a cybersecurity incident or breach, to the

22

cybersecurity incident response group and the attorney general. Notification requirements

23

contained in subsection (d) of this section shall be made no later than fifteen (15) calendar days

24

after confirmation of a cybersecurity incident or breach. In all notification requirements, the

25

municipal agency, state agency, or person shall notify the attorney general and the major credit

26

reporting agencies as to the timing, content, and distribution of the notices and the approximate

27

number of affected individuals. Notification to the attorney general and the major credit reporting

28

agencies shall be made without delaying notice to affected Rhode Island residents.

29

     (3) A secondary notification shall be made to the cybersecurity incident response group

30

and the attorney general which includes the full details of the agency’s informational technology

31

security and operational requirements employed to protect the agency’s data, including, but not

32

limited to, documentation and reporting of remedial or corrective action plans to address any

33

deficiencies in the information security policies, procedures, and practices of the agency.

34

     (b) The notification required by this section may be delayed if a federal, state, or local law

 

LC004811 - Page 4 of 6

1

enforcement agency determines that the notification will impede a criminal investigation. The

2

federal, state, or local law enforcement agency must notify the municipal agency, state agency, or

3

person of the request to delay notification without unreasonable delay. If notice is delayed due to

4

such determination, then, as soon as the federal, state, or municipal law enforcement agency

5

determines and informs the municipal agency, state agency, or person that notification no longer

6

poses a risk of impeding an investigation, notice shall be provided as soon as practicable pursuant

7

to subsection (a)(2). The municipal agency, state agency, or person shall cooperate with federal,

8

state, or municipal law enforcement in its investigation of any breach of security or unauthorized

9

acquisition or use, which shall include the sharing of information relevant to the incident; provided

10

however, that such disclosure shall not require the disclosure of confidential business information

11

or trade secrets.

12

     (c) Any municipal agency, state agency, or person required to make notification under this

13

section and fails to do so is liable for a violation as set forth in § 11-49.3-5.

14

     (d) The notification to individuals must include the following information to the extent

15

known:

16

     (1) A general and brief description of the incident, including how the security breach

17

occurred and the number of affected individuals;

18

     (2) The type of information that was subject to the breach;

19

     (3) Date of breach, estimated date of breach, or the date range within which the breach

20

occurred;

21

     (4) Date that the breach was discovered;

22

     (5) A clear and concise description of any remediation services offered to affected

23

individuals including toll free numbers and websites to contact: (i) The credit reporting agencies;

24

(ii) Remediation service providers; (iii) The attorney general; and

25

     (6) A clear and concise description of the consumer's ability to file or obtain a police report;

26

how a consumer requests a security freeze and the necessary information to be provided when

27

requesting the security freeze; and that fees may be required to be paid to the consumer reporting

28

agencies.

29

     SECTION 3. This act shall take effect upon passage.

========

LC004811

========

 

LC004811 - Page 5 of 6

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015

***

1

     This act would create a cybersecurity incident response group that would promulgate

2

cybersecurity breach related protocols for agencies and public bodies, require immediate notice of

3

a breach within twenty-four (24) hours to the cybersecurity incident response group and the

4

attorney general, and notice to the affected individuals no later than fifteen (15) days after the

5

discovery of the breach.

6

     This act would take effect upon passage.

========

LC004811

========

 

LC004811 - Page 6 of 6