2022 -- S 2031 | |
======== | |
LC003911 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2022 | |
____________ | |
A N A C T | |
RELATING TO COMMERCIAL LAW - GENERAL REGULATORY PROVISIONS - | |
INTERNET PRIVACY AND SECURITY | |
| |
Introduced By: Senators DiPalma, Kallman, Burke, DiMario, Zurier, Euer, and Seveney | |
Date Introduced: January 25, 2022 | |
Referred To: Senate Commerce | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL |
2 | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: |
3 | CHAPTER 59 |
4 | INTERNET PRIVACY AND SECURITY |
5 | 6-59-1. Short title. |
6 | This chapter shall be known and may be cited as the "Internet Privacy and Security Act." |
7 | 6-59-2. Definitions. |
8 | For purposes of this chapter, the following terms have the following meanings: |
9 | (1) "Authentication" means a method of verifying the authority of a user, process, or device |
10 | to access resources in an information system. |
11 | (2) "Connected device" means any device, or other physical object that is capable of |
12 | connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address |
13 | or Bluetooth address. |
14 | (3) "Manufacturer" means the person who manufactures, or contracts with another person |
15 | to manufacture on the person's behalf, connected devices that are sold or offered for sale in Rhode |
16 | Island. For the purposes of this subsection, a contract with another person to manufacture on the |
17 | person's behalf does not include a contract only to purchase a connected device, or only to purchase |
18 | and brand a connected device. |
| |
1 | (4) "Security feature" means a feature of a device designed to provide security for that |
2 | device. |
3 | (5) "Unauthorized access, destruction, use, modification, or disclosure" means access, |
4 | destruction, use, modification, or disclosure that is not authorized by the consumer. |
5 | 6-59-3. Manufacturers of connected devices. |
6 | (a) A manufacturer of a connected device for sale or installation in this state, shall equip |
7 | the device with a reasonable security feature or features that are all of the following: |
8 | (1) Appropriate to the nature and function of the device; |
9 | (2) Appropriate to the information it may collect, contain, or transmit; and |
10 | (3) Designed to protect the device and any information contained therein from |
11 | unauthorized access, destruction, use, modification, or disclosure. |
12 | (b) Subject to all of the requirements of subsection (a) of this section, if a connected device |
13 | is equipped with a means for authentication outside a local area network, it shall be deemed a |
14 | reasonable security feature under subsection (a) of this section if either of the following |
15 | requirements are met: |
16 | (1) The preprogrammed password is unique to each device manufactured; or |
17 | (2) The device contains a security feature that requires a user to generate a new means of |
18 | authentication before access is granted to the device for the first time. |
19 | 6-59-4. Non-applications. |
20 | (a) This chapter shall not be construed to: |
21 | (1) Impose any duty upon the manufacturer of a connected device related to unaffiliated |
22 | third-party software or applications that a user chooses to add to a connected device; |
23 | (2) Impose any duty upon a provider of an electronic store, gateway, marketplace, or other |
24 | means of purchasing or downloading software or applications, to review or enforce compliance |
25 | with this chapter; |
26 | (3) Impose any duty upon the manufacturer of a connected device to prevent a user from |
27 | having full control over a connected device, including the ability to modify the software or firmware |
28 | running on the device at the user's discretion; or |
29 | (4) Provide a basis for a private right of action. The attorney general shall have the |
30 | exclusive authority to enforce the provisions of this chapter. |
31 | (b) This chapter shall not apply to any connected device the functionality of which is |
32 | subject to security requirements under federal law, regulations, or guidance promulgated by a |
33 | federal agency pursuant to its regulatory enforcement authority. |
34 | (c) The duties and obligations imposed by this chapter are cumulative with any other duties |
| LC003911 - Page 2 of 4 |
1 | or obligations imposed under other law, and shall not be construed to relieve any party from any |
2 | duties or obligations imposed under other law. |
3 | (g) This chapter shall not be construed to limit the authority of a law enforcement agency |
4 | to obtain connected device information from a manufacturer as authorized by law or pursuant to an |
5 | order of a court of competent jurisdiction. |
6 | (h) A covered entity, provider of health care, business associate, health care service plan, |
7 | contractor, employer, or any other person subject to the federal Health Insurance Portability and |
8 | Accountability Act of 1996 (HIPAA) (Pub. L. 104-191) or ยง 5-37.3-4 shall not be subject to this |
9 | chapter with respect to any activity regulated by those acts. |
10 | SECTION 2. This act shall take effect on January 1, 2023. |
======== | |
LC003911 | |
======== | |
| LC003911 - Page 3 of 4 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO COMMERCIAL LAW - GENERAL REGULATORY PROVISIONS - | |
INTERNET PRIVACY AND SECURITY | |
*** | |
1 | This act would establish that manufacturers of devices capable of connecting to the Internet |
2 | equip the devices with reasonable security features. |
3 | This act would take effect on January 1, 2023. |
======== | |
LC003911 | |
======== | |
| LC003911 - Page 4 of 4 |