2015 -- S 0134 SUBSTITUTE A | |
======== | |
LC000486/SUB A/2 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2015 | |
____________ | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES - IDENTITY THEFT PROTECTION | |
| |
Introduced By: Senators DiPalma, McCaffrey, Algiere, Coyne, and Lombardi | |
Date Introduced: January 22, 2015 | |
Referred To: Senate Judiciary | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Chapter 11-49.2 of the General Laws entitled "Identity Theft Protection" is |
2 | hereby repealed in its entirety. |
3 | CHAPTER 11-49.2 |
4 | Identity Theft Protection |
5 | 11-49.2-1. Short title. -- This chapter shall be known and may be cited as the "Rhode |
6 | Island Identity Theft Protection Act of 2005." |
7 | 11-49.2-2. Legislative findings. -- It is hereby found and declared as follows: |
8 | (1) There is a growing concern regarding the possible theft of an individual's identity and |
9 | a resulting need for measures to protect the privacy of personal information. It is the intent of the |
10 | general assembly to ensure that personal information about Rhode Island residents is protected. |
11 | To that end, the purpose of this chapter is to require businesses that own or license personal |
12 | information about Rhode Islanders to provide reasonable security for that information. For the |
13 | purpose of this chapter, the phrase "owns or licenses" is intended to include, but is not limited to, |
14 | personal information that a business retains as part of the business' internal customer account or |
15 | for the purpose of using that information in transactions with the person to whom the information |
16 | relates. |
17 | (2) A business that owns or licenses computerized unencripted personal information |
18 | about a Rhode Island resident shall implement and maintain reasonable security procedures and |
19 | practices appropriate to the nature of the information, to protect the personal information from |
| |
1 | unauthorized access, destruction, use, modification, or disclosure. |
2 | (3) A business that discloses computerized unencripted personal information about a |
3 | Rhode Island resident pursuant to a contract with a nonaffiliated third-party shall require by |
4 | contract that the third-party implement and maintain reasonable security procedures and practices |
5 | appropriate to the nature of the information, to protect the personal information from |
6 | unauthorized access, destruction, use, modification, or disclosure. |
7 | 11-49.2-3. Notification of breach. -- (a) Any state agency or person that owns, maintains |
8 | or licenses computerized data that includes personal information, shall disclose any breach of the |
9 | security of the system which poses a significant risk of identity theft following discovery or |
10 | notification of the breach in the security of the data to any resident of Rhode Island whose |
11 | unencrypted personal information was, or is reasonably believed to have been, acquired by an |
12 | unauthorized person or a person without authority, to acquire said information. The disclosure |
13 | shall be made in the most expedient time possible and without unreasonable delay, consistent |
14 | with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures |
15 | necessary to determine the scope of the breach and restore the reasonable integrity of the data |
16 | system. |
17 | (b) Any state agency or person that maintains computerized unencripted data that |
18 | includes personal information that the state agency or person does not own shall notify the owner |
19 | or licensee of the information of any breach of the security of the data which poses a significant |
20 | risk of identity theft immediately, following discovery, if the personal information was, or is |
21 | reasonably believed to have been, acquired by an unauthorized person. |
22 | (c) The notification required by this section may be delayed if a law enforcement agency |
23 | determines that the notification will impede a criminal investigation. The notification required by |
24 | this section shall be made after the law enforcement agency determines that it will not |
25 | compromise the investigation. |
26 | (d) The notification must be prompt and reasonable following the determination of the |
27 | breach unless otherwise provided in this section. Any state agency or person required to make |
28 | notification under this section and who fails to do so promptly following the determination of a |
29 | breach or receipt of notice from law enforcement as provided for is subsection (c) is liable for a |
30 | fine as set forth in § 11-49.2-6. |
31 | 11-49.2-4. Notification of breach -- Consultation with law enforcement. -- |
32 | Notification of a breach is not required if, after an appropriate investigation or after consultation |
33 | with relevant federal, state, or local law enforcement agencies, a determination is made that the |
34 | breach has not and will not likely result in a significant risk of identity theft to the individuals |
| LC000486/SUB A/2 - Page 2 of 9 |
1 | whose personal information has been acquired. |
2 | 11-49.2-5. Definitions. -- The following definitions apply to this section: |
3 | (a) "Person" shall include any individual, partnership association, corporation or joint |
4 | venture. |
5 | (b) For purposes for this section, "breach of the security of the system" means |
6 | unauthorized acquisition of unencrypted computerized data that compromises the security, |
7 | confidentiality, or integrity of personal information maintained by the state agency or person. |
8 | Good faith acquisition of personal information by an employee or agent of the agency for the |
9 | purposes of the agency is not a breach of the security of the system; provided, that the personal |
10 | information is not used or subject to further unauthorized disclosure. |
11 | (c) For purposes of this section, "personal information" means an individual's first name |
12 | or first initial and last name in combination with any one or more of the following data elements, |
13 | when either the name or the data elements are not encrypted: |
14 | (1) Social security number; |
15 | (2) Driver's license number or Rhode Island Identification Card number; |
16 | (3) Account number, credit or debit card number, in combination with any required |
17 | security code, access code, or password that would permit access to an individual's financial |
18 | account. |
19 | (d) For purposes of this section, "notice" may be provided by one of the following |
20 | methods: |
21 | (1) Written notice; |
22 | (2) Electronic notice, if the notice provided is consistent with the provisions regarding |
23 | electronic records and signatures set for the in Section 7001 of Title 15 of the United States Code; |
24 | (3) Substitute notice, if the state agency or person demonstrates that the cost of providing |
25 | notice would exceed twenty-five thousand dollars ($25,000), or that the affected class of subject |
26 | persons to be notified exceeds fifty thousand (50,000), or the state agency or person does not have |
27 | sufficient contact information. Substitute notice shall consist of all of the following: |
28 | (A) E-mail notice when the state agency or person has an e-mail address for the subject |
29 | persons; |
30 | (B) Conspicuous posting of the notice on the state agency's or person's website page, if |
31 | the state agency or person maintains one; |
32 | (C) Notification to major statewide media. |
33 | 11-49.2-6. Penalties for violation. -- (a) Each violation of this chapter is a civil violation |
34 | for which a penalty of not more than a hundred dollars ($100) per occurrence and not more than |
| LC000486/SUB A/2 - Page 3 of 9 |
1 | twenty-five thousand dollars ($25,000) may be adjudged against a defendant. |
2 | (b) No Waiver of Notification. - Any waiver of a provision of this section is contrary to |
3 | public policy and is void and unenforceable. |
4 | 11-49.2-7. Agencies with security breach procedures. -- Any state agency or person |
5 | that maintains its own security breach procedures as part of an information security policy for the |
6 | treatment of personal information and otherwise complies with the timing requirements of § 11- |
7 | 49.2-3, shall be deemed to be in compliance with the security breach notification requirements of |
8 | § 11-49.2-3, provided such person notifies subject persons in accordance with such person's |
9 | policies in the event of a breach of security. Any person that maintains such a security breach |
10 | procedure pursuant to the rules, regulations, procedures or guidelines established by the primary |
11 | or functional regulator, as defined in 15 USC 6809(2), shall be deemed to be in compliance with |
12 | the security breach notification requirements of this section, provided such person notifies subject |
13 | persons in accordance with the policies or the rules, regulations, procedures or guidelines |
14 | established by the primary or functional regulator in the event of a breach of security of the |
15 | system. A financial institution, trust company, credit union or its affiliates that is subject to and |
16 | examined for, and found in compliance with the Federal Interagency Guidelines on Response |
17 | Programs for Unauthorized Access to Customer Information and Customer Notice shall be |
18 | deemed in compliance with this chapter. A provider of health care, health care service plan, |
19 | health insurer, or a covered entity governed by the medical privacy and security rules issued by |
20 | the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code |
21 | of Federal Regulations, established pursuant to the Health Insurance Portability and |
22 | Accountability Act of 1996 (HIPAA) shall be deemed in compliance with this chapter. |
23 | SECTION 2. Title 11 of the General Laws entitled "CRIMINAL OFFENSES" is hereby |
24 | amended by adding thereto the following chapter: |
25 | CHAPTER 49.3 |
26 | IDENTITY THEFT PROTECTION ACT OF 2015 |
27 | 11-49.3-1. Short title. -- This chapter shall be known and may be cited as the "Rhode |
28 | Island Identity Theft Protection Act of 2015." |
29 | 11-49.3-2. Risk-based information security program. -- (a) A municipal agency, state |
30 | agency or person that stores, collects, processes, maintains, acquires, uses, owns or licenses |
31 | personal information about a Rhode Island resident shall implement and maintain a risk-based |
32 | information security program which contains reasonable security procedures and practices |
33 | appropriate to the size and scope of the organization, the nature of the information and the |
34 | purpose for which the information was collected in order to protect the personal information from |
| LC000486/SUB A/2 - Page 4 of 9 |
1 | unauthorized access, use, modification, destruction or disclosure and to preserve the |
2 | confidentiality, integrity, and availability of such information. A municipal agency, state agency |
3 | or person shall not retain personal information for a period longer than is reasonably required to |
4 | provide the services requested, to meet the purpose for which it was collected, or in accordance |
5 | with a written retention policy or as may be required by law. A municipal agency, state agency or |
6 | person shall destroy all personal information, regardless of the medium that such information is |
7 | in, in a secure manner, including, but not limited to, shredding, pulverization, incineration, or |
8 | erasure. |
9 | (b) A municipal agency, state agency or person that discloses personal information about |
10 | a Rhode Island resident to a nonaffiliated third party shall require by written contract that the |
11 | third party implement and maintain reasonable security procedures and practices appropriate to |
12 | the size and scope of the organization, the nature of the information and the purpose for which the |
13 | information was collected in order to protect the personal information from unauthorized access, |
14 | use, modification, destruction, or disclosure. |
15 | 11-49.3-3. Definitions. -- (a) The following definitions apply to this section: |
16 | (1) "Breach of the security of the system" means unauthorized access or acquisition of |
17 | unencrypted computerized data information that compromises the security, confidentiality, or |
18 | integrity of personal information maintained by the municipal agency, state agency or person. |
19 | Good faith acquisition of personal information by an employee or agent of the agency for the |
20 | purposes of the agency is not a breach of the security of the system; provided, that the personal |
21 | information is not used or subject to further unauthorized disclosure. |
22 | (2) "Encrypted" means the transformation of data through the use of a one hundred |
23 | twenty-eight (128) bit or higher algorithmic process into a form in which there is a low |
24 | probability of assigning meaning without use of a confidential process or key. Data shall not be |
25 | considered to be encrypted if it is acquired in combination with any key, security code, or |
26 | password that would permit access to the encrypted data. |
27 | (3) "Health Insurance Information" means an individual’s health insurance policy number |
28 | or subscriber identification number, any unique identifier used by a health insurer to identify the |
29 | individual, or any information in an individual’s application and claims history, including any |
30 | appeals records or any information relating to payment for the provision of health care. |
31 | (4) "Medical Information" means any information regarding an individual's medical |
32 | history, mental or physical condition, or medical treatment or diagnosis by a health care |
33 | professional or provider. |
34 | (5) "Municipal Agency" means any department, division, agency, commission, board, |
| LC000486/SUB A/2 - Page 5 of 9 |
1 | office, bureau, authority, quasi-public authority, or school, fire or water district within Rhode |
2 | Island other than a state agency and any other agency that is in any branch of municipal |
3 | government and exercises governmental functions other than in an advisory nature. |
4 | (6) "Owner" means the original collector of the information. |
5 | (7) "Person" shall include any individual, sole proprietorship, partnership, association, |
6 | corporation, or joint venture, business or legal entity, trust, estate, cooperative or other |
7 | commercial entity. |
8 | (8) "Personal information" means an individual's first name or first initial and last name |
9 | in combination with any one or more of the following data elements, when either the name or the |
10 | data elements are not encrypted or are in hard copy paper format: |
11 | (i) Social security number; |
12 | (ii) Driver's license number, or Rhode Island identification card number or tribal |
13 | identification number; |
14 | (iii) Account number, credit or debit card number, in combination with any required |
15 | security code, access code, password or personal identification number that would permit access |
16 | to an individual's financial account; |
17 | (iv) Medical or health insurance information; or |
18 | (v) E-mail address with any required security code, access code, or password that would |
19 | permit access to an individual's personal, medical, insurance or financial account. |
20 | (9) "State agency" means any department, division, agency, commission, board, office, |
21 | bureau, authority, or quasi-public authority within Rhode Island, either branch of the Rhode |
22 | Island general assembly, or an agency or committee thereof, the judiciary, or any other agency |
23 | that is in any branch of Rhode Island state government and which exercises governmental |
24 | functions other than in an advisory nature. |
25 | (b) For purposes of this section, personal information does not include publicly available |
26 | information that is lawfully made available to the general public from federal, state or local |
27 | government records. |
28 | (c) For purposes of this section, "notice" may be provided by one of the following |
29 | methods: |
30 | (i) Written notice; |
31 | (ii) Electronic notice, if the notice provided is consistent with the provisions regarding |
32 | electronic records and signatures set forth in 15 U.S.C. § 7001; |
33 | (iii) Substitute notice, if the municipal agency, state agency or person demonstrates that |
34 | the cost of providing notice would exceed twenty-five thousand dollars ($25,000), or that the |
| LC000486/SUB A/2 - Page 6 of 9 |
1 | affected class of subject persons to be notified exceeds fifty thousand (50,000), or the municipal |
2 | agency, state agency or person does not have sufficient contact information. Substitute notice |
3 | shall consist of all of the following: |
4 | (A) E-mail notice when the municipal agency, state agency or person has an e-mail |
5 | address for the subject persons; |
6 | (B) Conspicuous posting of the notice on the municipal agency's, state agency's or |
7 | person's website page, if the municipal agency, state agency or person maintains one; and |
8 | (C) Notification to major statewide media. |
9 | 11-49.3-4. Notification of breach. -- (a)(1) Any municipal agency, state agency or |
10 | person that stores, collects, processes, maintains, acquires, uses, owns or licenses data that |
11 | includes personal information, shall provide notification as set forth in this section of any |
12 | disclosure of personal information, or any breach of the security of the system, which poses a risk |
13 | of identity theft to any resident of Rhode Island whose personal information was, or is reasonably |
14 | believed to have been, acquired by an unauthorized person or entity. A municipal agency, state |
15 | agency or person that owns the personal information that is subject to a breach of the security of |
16 | the system shall notify according to this subsection (a) and any municipal agency, state agency or |
17 | person that stores, collects, processes, maintains, acquires, licenses or uses personal information, |
18 | but does not own such information, shall notify as set forth in subsection (b) of this section. |
19 | (2) The notification shall be made in the most expedient time possible but no later than |
20 | thirty (30) calendar days after discovery and consistent with the legitimate needs of law |
21 | enforcement as provided in subsection (c) of this section. In the event that any Rhode Island |
22 | residents are to be notified, the municipal agency, state agency or person shall notify the attorney |
23 | general and the major credit reporting agencies as to the timing, content and distribution of the |
24 | notices and the approximate number of affected individuals. Notification to the attorney general |
25 | and the major credit reporting agencies shall be made without delaying notice to affected Rhode |
26 | Island residents. |
27 | (b) Any municipal agency, state agency or person that stores, collects, processes, |
28 | maintains, acquires, uses, licenses, provides services using, or has access to personal information |
29 | about Rhode Island residents that the municipal agency, state agency or person does not own shall |
30 | notify and cooperate fully with the owner of the information of any breach of the security of the |
31 | data which poses a risk of identity theft immediately following discovery, if the personal |
32 | information was, or is reasonably believed to have been, acquired by an unauthorized person. |
33 | (c) The notification required by this section may be delayed if a federal, state or local law |
34 | enforcement agency determines that the notification will impede a criminal investigation. The |
| LC000486/SUB A/2 - Page 7 of 9 |
1 | federal, state or local law enforcement agency must notify the municipal agency, state agency or |
2 | person of the request to delay notification without unreasonable delay. If notice is delayed due to |
3 | such determination then as soon as the federal, state or municipal law enforcement agency |
4 | determines and informs the municipal agency, state agency or person that notification no longer |
5 | poses a risk of impeding an investigation, notice shall be provided, as soon as practicable and |
6 | without unreasonable delay but no later than thirty (30) calendar days after the law enforcement |
7 | agency determination. The municipal agency, state agency or person shall cooperate with federal, |
8 | state or municipal law enforcement in its investigation of any breach of security or unauthorized |
9 | acquisition or use, which shall include the sharing of information relevant to the incident; |
10 | provided however, that such disclosure shall not require the disclosure of confidential business |
11 | information or trade secrets. |
12 | (d) The notification must be prompt and reasonable following the determination of the |
13 | breach unless otherwise provided in this section. Any municipal agency, state agency or person |
14 | required to make notification under this section and who fails to do so is liable for a violation as |
15 | set forth in § 11-49.3-5. |
16 | (e) The notification to individuals must include the following information to the extent |
17 | known: |
18 | (1) A general description of the incident, including how the security breach occurred and |
19 | the number of affected individuals; |
20 | (2) The type of information that was subject to the breach; |
21 | (3) Date of breach, estimated date of breach or the date range within which the breach |
22 | occurred; |
23 | (4) Date that the breach was discovered; |
24 | (5) A clear and concise description of any remediation services offered to affected |
25 | individuals including toll free numbers and websites to contact: (i) The credit reporting agencies; |
26 | (ii) Remediation service providers; (iii) The attorney general; and |
27 | (6) A clear and concise description of: the consumer's right to file or obtain a police |
28 | report; how a consumer requests a security freeze and the necessary information to be provided |
29 | when requesting the security freeze; and that fees may be required to be paid to the consumer |
30 | reporting agencies. |
31 | 11-49.3-5. Penalties for violation. -- (a) Each reckless violation of this chapter is a civil |
32 | violation for which a penalty of not more than one hundred dollars ($100) per record may be |
33 | adjudged against a defendant. |
34 | (b) Each knowing and willful violation of this chapter is a civil violation for which a |
| LC000486/SUB A/2 - Page 8 of 9 |
1 | penalty of not more than two hundred dollars ($200) per record may be adjudged against a |
2 | defendant. |
3 | (c) Whenever the attorney general has reason to believe that a violation of this chapter |
4 | has occurred and that proceedings would be in the public interest, the attorney general may bring |
5 | an action in the name of the state against the business or person in violation. |
6 | (d) Any waiver of a provision of this section is contrary to public policy and is void and |
7 | unenforceable. |
8 | 11-49.3-6. Agencies or persons with security breach procedures. -- (a) Any municipal |
9 | agency, state agency or person shall be deemed to be in compliance with the security breach |
10 | notification requirements of § 11-49.3-4, if: |
11 | (1) The municipal agency, state agency or person maintains its own security breach |
12 | procedures as part of an information security policy for the treatment of personal information and |
13 | otherwise complies with the timing requirements of § 11-49.3-4, and notifies subject persons in |
14 | accordance with such municipal agency’s, state agency’s, or person's notification policies in the |
15 | event of a breach of security; or |
16 | (2) The person maintains a security breach procedure pursuant to the rules, regulations, |
17 | procedures or guidelines established by the primary or functional regulator, as defined in 15 |
18 | U.S.C. § 6809(2), and notifies subject persons in accordance with the policies or the rules, |
19 | regulations, procedures or guidelines established by the primary or functional regulator in the |
20 | event of a breach of security of the system. |
21 | (b) A financial institution, trust company, credit union or its affiliates that is subject to |
22 | and examined for, and found in compliance with the Federal Interagency Guidelines on Response |
23 | Programs for Unauthorized Access to Customer Information and Customer Notice shall be |
24 | deemed in compliance with this chapter. |
25 | (c) A provider of health care, health care service plan, health insurer, or a covered entity |
26 | governed by the medical privacy and security rules issued by the Federal Department of Health |
27 | and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, |
28 | established pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) |
29 | shall be deemed in compliance with this chapter. |
30 | SECTION 3. This act shall take effect one year following the date of passage. |
======== | |
LC000486/SUB A/2 | |
======== | |
| LC000486/SUB A/2 - Page 9 of 9 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES - IDENTITY THEFT PROTECTION | |
*** | |
1 | This act would create the Identity Theft Protection Act of 2015, to protect personal |
2 | information from unauthorized access, use, modification, destruction or disclosure, and to |
3 | preserve the confidentiality and integrity of such information. |
4 | This act would take effect one year following the date of passage. |
======== | |
LC000486/SUB A/2 | |
======== | |
| LC000486/SUB A/2 - Page 10 of 9 |