2014 -- H 7519 | |
======== | |
LC004479 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2014 | |
____________ | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES - IDENTITY THEFT PROTECTION | |
| |
Introduced By: Representatives Kennedy, Keable, Kazarian, Naughton, and Williams | |
Date Introduced: February 13, 2014 | |
Referred To: House Judiciary | |
(Attorney General) | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Sections 11-49.2-3 and 11-49.2-5 of the General Laws in Chapter 11-49.2 |
2 | entitled "Identity Theft Protection" are hereby amended to read as follows: |
3 | 11-49.2-3. Notification of breach. -- (a) Any state agency or person that owns, maintains |
4 | or licenses computerized data that includes personal information, shall disclose any breach of the |
5 | security of the system which poses a significant risk of identity theft following discovery or |
6 | notification of the breach in the security of the data to any resident of Rhode Island whose |
7 | unencrypted personal information was, or is reasonably believed to have been, acquired by an |
8 | unauthorized person or a person without authority, to acquire said information. The disclosure |
9 | shall be made in the most expedient time possible and without unreasonable delay, consistent |
10 | with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures |
11 | necessary to determine the scope of the breach and restore the reasonable integrity of the data |
12 | system. The disclosure shall include, but not be limited to: |
13 | (1) The toll-free numbers and addresses for the consumer reporting agencies; |
14 | (2) The toll-free number, address, and website for the Federal Trade Commission; |
15 | (3) A statement that an individual can obtain information from these sources regarding |
16 | fraud alerts and security freezes; and |
17 | (4) A statement that warns against possible imposters who attempt to fraudulently notify |
18 | individuals of security breaches in an attempt to obtain personal identity information. |
19 | (b) Any state agency or person that maintains computerized unencripted data that |
| |
1 | includes personal information that the state agency or person does not own shall notify the owner |
2 | or licensee of the information of any breach of the security of the data which poses a significant |
3 | risk of identity theft immediately, following discovery, if the personal information was, or is |
4 | reasonably believed to have been, acquired by an unauthorized person. |
5 | (c) The notification required by this section may be delayed if a law enforcement agency |
6 | determines that the notification will impede a criminal investigation. The notification required by |
7 | this section shall be made after the law enforcement agency determines that it will not |
8 | compromise the investigation. |
9 | (d) The notification must be prompt and reasonable following the determination of the |
10 | breach unless otherwise provided in this section. Any state agency or person required to make |
11 | notification under this section and who fails to do so promptly following the determination of a |
12 | breach or receipt of notice from law enforcement as provided for is subsection (c) is liable for a |
13 | fine as set forth in section 11-49.2-6. |
14 | (e) Any state agency or person required to disclose a breach as provided in subsection (a) |
15 | of this section shall provide one year of credit monitoring to any resident of Rhode Island, at no |
16 | cost to the resident, whose personal information was, or is reasonably believed to have been, |
17 | acquired by an unauthorized person, or a person without authority to acquire said information. |
18 | 11-49.2-5. Definitions. -- The following definitions apply to this section: |
19 | (a) "Person" shall include any individual, partnership association, corporation or joint |
20 | venture. |
21 | (b) For purposes for this section, "breach of the security of the system" means |
22 | unauthorized acquisition of unencrypted computerized data that compromises the security, |
23 | confidentiality, or integrity of personal information maintained by the state agency or person. |
24 | Good faith acquisition of personal information by an employee or agent of the agency for the |
25 | purposes of the agency is not a breach of the security of the system; provided, that the personal |
26 | information is not used or subject to further unauthorized disclosure. |
27 | (c) For purposes of this section, "personal information" means an individual's first name |
28 | or first initial and last name in combination with any one or more of the following data elements, |
29 | when either the name or the data elements are not encrypted: |
30 | (1) Social security number; |
31 | (2) Driver's license number or Rhode Island Identification Card number; |
32 | (3) Account number, credit or debit card number, in combination with or without any |
33 | required security code, access code, or password, or personal identification number that would |
34 | permit access to an individual's financial account. |
| LC004479 - Page 2 of 4 |
1 | (d) For purposes of this section, "notice" may be provided by one of the following |
2 | methods: |
3 | (1) Written notice; |
4 | (2) Electronic notice, if the notice provided is consistent with the provisions regarding |
5 | electronic records and signatures set for the in Section 7001 of Title 15 of the United States Code; |
6 | (3) Substitute notice, if the state agency or person demonstrates that the cost of providing |
7 | notice would exceed twenty-five thousand dollars ($25,000), or that the affected class of subject |
8 | persons to be notified exceeds fifty thousand (50,000), or the state agency or person does not have |
9 | sufficient contact information. Substitute notice shall consist of all of the following: |
10 | (A) E-mail notice when the state agency or person has an e-mail address for the subject |
11 | persons; |
12 | (B) Conspicuous posting of the notice on the state agency's or person's website page, if |
13 | the state agency or person maintains one; |
14 | (C) Notification to major statewide media. |
15 | SECTION 2. This act shall take effect upon passage. |
======== | |
LC004479 | |
======== | |
| LC004479 - Page 3 of 4 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES - IDENTITY THEFT PROTECTION | |
*** | |
1 | This act would impose additional requirements upon a notice of breach and disclosure to |
2 | affected Rhode Island residents of the contact information for consumer reporting agencies and |
3 | the Federal Trade Commission; a statement that an individual can obtain information from these |
4 | sources regarding fraud alerts and security freezes; and a statement that warns against possible |
5 | imposters who attempt to fraudulently notify individuals of security breaches in an attempt to |
6 | obtain personal identity information. The act would also provide that the breached entity provide |
7 | the affected resident with one year of credit monitoring services at no cost to the resident. |
8 | This act would take effect upon passage. |
======== | |
LC004479 | |
======== | |
| LC004479 - Page 4 of 4 |