2016 -- S 2600 | |
======== | |
LC005074 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2016 | |
____________ | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES - THE IDENTITY THEFT PROTECTION ACT OF | |
2015 | |
| |
Introduced By: Senators DiPalma, Algiere, Archambault, Coyne, and Lombardi | |
Date Introduced: February 25, 2016 | |
Referred To: Senate Judiciary | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Section 11-49.3-4 of the General Laws in Chapter 11-49.3 entitled "Identity |
2 | Theft Protection Act of 2015" is hereby amended to read as follows: |
3 | 11-49.3-4. Notification of breach. [Effective July 2, 2016.] -- (a) (1) Any municipal |
4 | agency, state agency, or person that stores, owns, collects, processes, maintains, acquires, uses, or |
5 | licenses data that includes personal information shall provide notification as set forth in this |
6 | section of any disclosure of personal information, or any breach of the security of the system, that |
7 | poses a significant risk of identity theft to any resident of Rhode Island whose personal |
8 | information was, or is reasonably believed to have been, acquired by an unauthorized person or |
9 | entity. |
10 | (2) The notification shall be made in the most expedient time possible, but no later than |
11 | forty-five (45) fourteen (14) calendar days after confirmation of the breach and the ability to |
12 | ascertain the information required to fulfill the notice requirements contained in subsection (d) of |
13 | this section, and shall be consistent with the legitimate needs of law enforcement as provided in |
14 | subsection (c) of this section. In the event that more than five hundred (500) Rhode Island |
15 | residents are to be notified, the municipal agency, state agency, or person shall notify the attorney |
16 | general and the major credit reporting agencies as to the timing, content, and distribution of the |
17 | notices and the approximate number of affected individuals. Notification to the attorney general |
18 | and the major credit reporting agencies shall be made within twenty-four (24) hours and without |
| |
1 | delaying notice to affected Rhode Island residents. |
2 | (b) The notification required by this section may be delayed if a federal, state, or local |
3 | law enforcement agency determines that the notification will impede a criminal investigation. The |
4 | federal, state, or local law enforcement agency must notify the municipal agency, state agency, or |
5 | person of the request to delay notification without unreasonable delay. If notice is delayed due to |
6 | such determination, then, as soon as the federal, state, or municipal law enforcement agency |
7 | determines and informs the municipal agency, state agency, or person that notification no longer |
8 | poses a risk of impeding an investigation, notice shall be provided as soon as practicable pursuant |
9 | to subsection (a)(2). The municipal agency, state agency, or person shall cooperate with federal, |
10 | state, or municipal law enforcement in its investigation of any breach of security or unauthorized |
11 | acquisition or use, which shall include the sharing of information relevant to the incident; |
12 | provided however, that such disclosure shall not require the disclosure of confidential business |
13 | information or trade secrets. |
14 | (c) Any municipal agency, state agency, or person required to make notification under |
15 | this section and fails to do so is liable for a violation as set forth in ยง 11-49.3-5. |
16 | (d) The notification to individuals must include the following information to the extent |
17 | known: |
18 | (1) A general and brief description of the incident, including how the security breach |
19 | occurred and the number of affected individuals; |
20 | (2) The type of information that was subject to the breach; |
21 | (3) Date of breach, estimated date of breach, or the date range within which the breach |
22 | occurred; |
23 | (4) Date that the breach was discovered; |
24 | (5) A clear and concise description of any remediation services offered to affected |
25 | individuals including toll free numbers and websites to contact: (i) The credit reporting agencies; |
26 | (ii) Remediation service providers; (iii) The attorney general; and |
27 | (6) A clear and concise description of the consumer's ability to file or obtain a police |
28 | report; how a consumer requests a security freeze and the necessary information to be provided |
29 | when requesting the security freeze; and that fees may be required to be paid to the consumer |
30 | reporting agencies. |
31 | SECTION 2. This act shall take effect upon passage. |
======== | |
LC005074 | |
======== | |
| LC005074 - Page 2 of 3 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES - THE IDENTITY THEFT PROTECTION ACT OF | |
2015 | |
*** | |
1 | This act would reduce the time a person or governmental agency who stores personal |
2 | information has to disclose a breach of that information's security from forty-five (45) days to |
3 | fourteen (14) days and specifies that breaches affecting more than five hundred (500) people must |
4 | be reported to the Attorney General and the major credit bureaus within twenty-four (24) hours. |
5 | This act would take effect upon passage. |
======== | |
LC005074 | |
======== | |
| LC005074 - Page 3 of 3 |