2025 -- H 5301 | |
======== | |
LC000745 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2025 | |
____________ | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES-IDENTITY THEFT PROTECTION ACT OF 2015 | |
| |
Introduced By: Representatives Phillips, Serpa, Fellela, Casey, J. Brien, Cruz, O'Brien, | |
Date Introduced: February 05, 2025 | |
Referred To: House Innovation, Internet, & Technology | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Section 11-49.3-4 of the General Laws in Chapter 11-49.3 entitled "Identity |
2 | Theft Protection Act of 2015" is hereby amended to read as follows: |
3 | 11-49.3-4. Notification of breach. |
4 | (a)(1) Any municipal agency, state agency, or any other person or entity who or that stores, |
5 | owns, collects, processes, maintains, acquires, uses, or licenses data, or any agency, entity, or any |
6 | other person that maintains or stores, but does not own or license, data that includes personal |
7 | information shall provide notification as set forth in this section of any disclosure of personal |
8 | information, or any breach of the security of the system, that poses a significant risk of identity |
9 | theft to any resident of Rhode Island whose personal information was, or is reasonably believed to |
10 | have been, acquired by an unauthorized person or entity. In addition to providing notice as required |
11 | in this section, the municipal agency, state agency, or any other person or entity shall cooperate |
12 | with the owner or licensor of such information. Such cooperation shall include, but not be limited |
13 | to, informing the owner or licensor of the breach of security, the date and approximate time of the |
14 | breach, and any steps taken related to minimizing the breach upon discovery. Cooperation shall not |
15 | include the requirement that any agency, public or private entity or other person disclose |
16 | confidential business information or trade secrets. |
17 | (2) The notification shall be made in the most expedient time possible and without |
18 | unreasonable delay, subject to the following: |
19 | (i) For state and municipal agencies, no later than thirty (30) calendar days after the |
| |
1 | municipal agency, state agency or other person or entity knows or has reason to know that any |
2 | personal information has been acquired or used by an unauthorized person or entity, and/or upon |
3 | confirmation of the breach and the ability to ascertain the information required to fulfill the notice |
4 | requirements contained in subsection (d), and shall be consistent with the legitimate needs of law |
5 | enforcement as provided in subsection (b). In the event that more than five hundred (500) Rhode |
6 | Island residents are to be notified, the The municipal agency or state agency shall notify the attorney |
7 | general, the department of business regulation, and the major credit reporting agencies as to the |
8 | timing, content, and distribution of the notices and the approximate number of affected individuals. |
9 | Notification to the attorney general, the department of business regulations, and the major credit |
10 | reporting agencies shall be made without delaying notice to affected Rhode Island residents. Where |
11 | affected employees are represented by a labor union through a collective bargaining agreement, the |
12 | employer shall also notify the collective bargaining agent, or designee, of such breaches. Notice to |
13 | the department of attorney general, the department of business regulation, the major credit reporting |
14 | agencies and designee of impacted labor unions shall include the nature of the breach of security |
15 | or unauthorized acquisition, the number of people affected by the incident, the name and address |
16 | of the agency, person or entity reporting the breach of security, the person responsible for |
17 | committing the breach, if known, and the type of personal information compromised, including, |
18 | but not limited to, social security numbers, bank account numbers, credit/debit card numbers or any |
19 | other information that may have the potential to impact any person’s privacy or financial security. |
20 | (ii) For persons subject to subsection (a)(1), which is not a state or municipal agency, no |
21 | later than forty-five (45) calendar days after confirmation of the breach and the ability to ascertain |
22 | the information required to fulfill the notice requirements contained in subsection (d), and shall be |
23 | consistent with the legitimate needs of law enforcement as provided in subsection (b). In the event |
24 | that more than five hundred (500) Rhode Island residents are to be notified, the person shall notify |
25 | the attorney general and the major credit reporting agencies as to the timing, content, and |
26 | distribution of the notices and the approximate number of affected individuals. Notification to the |
27 | attorney general and the major credit reporting agencies shall be made without delaying notice to |
28 | affected Rhode Island residents. |
29 | (b) The notification required by this section may be delayed if a federal, state, or local law |
30 | enforcement agency determines that the notification will impede a criminal investigation. The |
31 | federal, state, or local law enforcement agency must notify the municipal agency, state agency, or |
32 | person of the request to delay notification without unreasonable delay. If notice is delayed due to |
33 | such determination, then, as soon as the federal, state, or municipal law enforcement agency |
34 | determines and informs the municipal agency, state agency, or person that notification no longer |
| LC000745 - Page 2 of 5 |
1 | poses a risk of impeding an investigation, notice shall be provided as soon as practicable pursuant |
2 | to subsection (a)(2). The municipal agency, state agency, or person shall cooperate with federal, |
3 | state, or municipal law enforcement in its investigation of any breach of security or unauthorized |
4 | acquisition or use, which shall include the sharing of information relevant to the incident; provided |
5 | however, that such disclosure shall not require the disclosure of confidential business information |
6 | or trade secrets. |
7 | (c) Any municipal agency, state agency, or person required to make notification under this |
8 | section and fails to do so is liable for a violation as set forth in § 11-49.3-5. |
9 | (d) The notification to individuals must include the following information to the extent |
10 | known: |
11 | (1) A general and brief description of the incident, including how the security breach |
12 | occurred and the number of affected individuals; |
13 | (2) The type of information that was subject to the breach; |
14 | (3) Date of breach, estimated date of breach, or the date range within which the breach |
15 | occurred; |
16 | (4) Date that the breach was discovered; |
17 | (5) A clear and concise description of any remediation services offered to affected |
18 | individuals including toll free numbers and websites to contact: |
19 | (i) The credit reporting agencies; |
20 | (ii) Remediation service providers; |
21 | (iii) The attorney general; and |
22 | (6) A clear and concise description of the consumer’s ability to file or obtain a police report; |
23 | how a consumer requests a security freeze and the necessary information to be provided when |
24 | requesting the security freeze; and that no fees may be required to be paid to the consumer reporting |
25 | agencies when any person requesting a security freeze does so as a result of any breach. |
26 | (e) For state and municipal agencies remediation services to be provided and to be |
27 | described pursuant to the provisions of subsection (d)(5) of this section shall include, but not be |
28 | limited to: |
29 | (1) Individuals eighteen (18) years of age and older, a minimum of five (5) years of |
30 | coverage; and |
31 | (2) Individuals under eighteen (18) years of age, coverage until age eighteen (18), and no |
32 | less than two (2) years of coverage beyond age eighteen (18). |
| LC000745 - Page 3 of 5 |
1 | SECTION 2. This act shall take effect upon passage. |
======== | |
LC000745 | |
======== | |
| LC000745 - Page 4 of 5 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES-IDENTITY THEFT PROTECTION ACT OF 2015 | |
*** | |
1 | This act would expand the responsibilities of those municipal or state agencies or any other |
2 | person or entity that stores, owns, collects, processes, maintains, acquires, uses, or licenses data, |
3 | who experiences a security breach. Responsibilities would include providing additional |
4 | information to persons affected and providing additional cooperation and information to law |
5 | enforcement and the department of business regulation (DBR). |
6 | This act would take effect upon passage. |
======== | |
LC000745 | |
======== | |
| LC000745 - Page 5 of 5 |