2014 -- S 2640

========

LC004480

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2014

____________

A N   A C T

RELATING TO CRIMINAL OFFENSES - IDENTITY THEFT PROTECTION

     

     Introduced By: Senator Michael J.McCaffrey

     Date Introduced: March 04, 2014

     Referred To: Senate Judiciary

     (Attorney General)

It is enacted by the General Assembly as follows:

1

     SECTION 1. Sections 11-49.2-3 and 11-49.2-5 of the General Laws in Chapter 11-49.2

2

entitled "Identity Theft Protection" are hereby amended to read as follows:

3

     11-49.2-3. Notification of breach. -- (a) Any state agency or person that owns, maintains

4

or licenses computerized data that includes personal information, shall disclose any breach of the

5

security of the system which poses a significant risk of identity theft following discovery or

6

notification of the breach in the security of the data to any resident of Rhode Island whose

7

unencrypted personal information was, or is reasonably believed to have been, acquired by an

8

unauthorized person or a person without authority, to acquire said information. The disclosure

9

shall be made in the most expedient time possible and without unreasonable delay, consistent

10

with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures

11

necessary to determine the scope of the breach and restore the reasonable integrity of the data

12

system. The disclosure shall include, but not be limited to:

13

     (1) The toll-free numbers and addresses for the consumer reporting agencies;

14

     (2) The toll-free number, address, and website for the Federal Trade Commission;

15

     (3) A statement that an individual can obtain information from these sources regarding

16

fraud alerts and security freezes; and

17

     (4) A statement that warns against possible imposters who attempt to fraudulently notify

18

individuals of security breaches in an attempt to obtain personal identity information.

19

      (b) Any state agency or person that maintains computerized unencripted data that

 

1

includes personal information that the state agency or person does not own shall notify the owner

2

or licensee of the information of any breach of the security of the data which poses a significant

3

risk of identity theft immediately, following discovery, if the personal information was, or is

4

reasonably believed to have been, acquired by an unauthorized person.

5

      (c) The notification required by this section may be delayed if a law enforcement agency

6

determines that the notification will impede a criminal investigation. The notification required by

7

this section shall be made after the law enforcement agency determines that it will not

8

compromise the investigation.

9

      (d) The notification must be prompt and reasonable following the determination of the

10

breach unless otherwise provided in this section. Any state agency or person required to make

11

notification under this section and who fails to do so promptly following the determination of a

12

breach or receipt of notice from law enforcement as provided for is subsection (c) is liable for a

13

fine as set forth in section 11-49.2-6.

14

     (e) Any state agency or person required to disclose a breach as provided in subsection (a)

15

of this section shall provide one year of credit monitoring to any resident of Rhode Island, at no

16

cost to the resident, whose personal information was, or is reasonably believed to have been,

17

acquired by an unauthorized person, or a person without authority to acquire said information.

18

     11-49.2-5. Definitions. -- The following definitions apply to this section:

19

      (a) "Person" shall include any individual, partnership association, corporation or joint

20

venture.

21

      (b) For purposes for this section, "breach of the security of the system" means

22

unauthorized acquisition of unencrypted computerized data that compromises the security,

23

confidentiality, or integrity of personal information maintained by the state agency or person.

24

Good faith acquisition of personal information by an employee or agent of the agency for the

25

purposes of the agency is not a breach of the security of the system; provided, that the personal

26

information is not used or subject to further unauthorized disclosure.

27

      (c) For purposes of this section, "personal information" means an individual's first name

28

or first initial and last name in combination with any one or more of the following data elements,

29

when either the name or the data elements are not encrypted:

30

      (1) Social security number;

31

      (2) Driver's license number or Rhode Island Identification Card number;

32

      (3) Account number, credit or debit card number, in combination with or without any

33

required security code, access code, or password, or personal identification number that would

34

permit access to an individual's financial account.

 

LC004480 - Page 2 of 3

1

      (d) For purposes of this section, "notice" may be provided by one of the following

2

methods:

3

      (1) Written notice;

4

      (2) Electronic notice, if the notice provided is consistent with the provisions regarding

5

electronic records and signatures set for the in Section 7001 of Title 15 of the United States Code;

6

      (3) Substitute notice, if the state agency or person demonstrates that the cost of providing

7

notice would exceed twenty-five thousand dollars ($25,000), or that the affected class of subject

8

persons to be notified exceeds fifty thousand (50,000), or the state agency or person does not have

9

sufficient contact information. Substitute notice shall consist of all of the following:

10

      (A) E-mail notice when the state agency or person has an e-mail address for the subject

11

persons;

12

      (B) Conspicuous posting of the notice on the state agency's or person's website page, if

13

the state agency or person maintains one;

14

      (C) Notification to major statewide media.

15

     SECTION 2. This act shall take effect upon passage.

========

LC004480

========

 

LC004480 - Page 3 of 3

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO CRIMINAL OFFENSES - IDENTITY THEFT PROTECTION

***

1

     This act would impose additional requirements upon a notice of breach and disclosure to

2

affected Rhode Island residents of the contact information for consumer reporting agencies and

3

the Federal Trade Commission; a statement that an individual can obtain information from these

4

sources regarding fraud alerts and security freezes; and a statement that warns against possible

5

imposters who attempt to fraudulently notify individuals of security breaches in an attempt to

6

obtain personal identity information. The act would also provide that the breached entity provide

7

the affected resident with one year of credit monitoring services at no cost to the resident.

8

     This act would take effect upon passage.

========

LC004480

========

 

LC004480 - Page 4 of 3