2016 -- H 7707

========

LC005082

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2016

____________

A N   A C T

RELATING TO CRIMINAL OFFENSES - THE IDENTITY THEFT PROTECTION ACT OF

2015

     

     Introduced By: Representatives Ruggiero, Craven, McEntee, Carson, and McKiernan

     Date Introduced: February 24, 2016

     Referred To: House Corporations

     It is enacted by the General Assembly as follows:

1

     SECTION 1. Section 11-49.3-4 of the General Laws in Chapter 11-49.3 entitled "Identity

2

Theft Protection Act of 2015" is hereby amended to read as follows:

3

     11-49.3-4. Notification of breach. [Effective July 2, 2016.] -- (a) (1) Any municipal

4

agency, state agency, or person that stores, owns, collects, processes, maintains, acquires, uses, or

5

licenses data that includes personal information shall provide notification as set forth in this

6

section of any disclosure of personal information, or any breach of the security of the system, that

7

poses a significant risk of identity theft to any resident of Rhode Island whose personal

8

information was, or is reasonably believed to have been, acquired by an unauthorized person or

9

entity.

10

      (2) The notification shall be made in the most expedient time possible, but no later than

11

forty-five (45) fourteen (14) calendar days after confirmation of the breach and the ability to

12

ascertain the information required to fulfill the notice requirements contained in subsection (d) of

13

this section, and shall be consistent with the legitimate needs of law enforcement as provided in

14

subsection (c) of this section. In the event that more than five hundred (500) Rhode Island

15

residents are to be notified, the municipal agency, state agency, or person shall notify the attorney

16

general and the major credit reporting agencies as to the timing, content, and distribution of the

17

notices and the approximate number of affected individuals. Notification to the attorney general

18

and the major credit reporting agencies shall be made within twenty-four (24) hours and without

 

1

delaying notice to affected Rhode Island residents.

2

      (b) The notification required by this section may be delayed if a federal, state, or local

3

law enforcement agency determines that the notification will impede a criminal investigation. The

4

federal, state, or local law enforcement agency must notify the municipal agency, state agency, or

5

person of the request to delay notification without unreasonable delay. If notice is delayed due to

6

such determination, then, as soon as the federal, state, or municipal law enforcement agency

7

determines and informs the municipal agency, state agency, or person that notification no longer

8

poses a risk of impeding an investigation, notice shall be provided as soon as practicable pursuant

9

to subsection (a)(2). The municipal agency, state agency, or person shall cooperate with federal,

10

state, or municipal law enforcement in its investigation of any breach of security or unauthorized

11

acquisition or use, which shall include the sharing of information relevant to the incident;

12

provided however, that such disclosure shall not require the disclosure of confidential business

13

information or trade secrets.

14

      (c) Any municipal agency, state agency, or person required to make notification under

15

this section and fails to do so is liable for a violation as set forth in ยง 11-49.3-5.

16

      (d) The notification to individuals must include the following information to the extent

17

known:

18

      (1) A general and brief description of the incident, including how the security breach

19

occurred and the number of affected individuals;

20

      (2) The type of information that was subject to the breach;

21

      (3) Date of breach, estimated date of breach, or the date range within which the breach

22

occurred;

23

      (4) Date that the breach was discovered;

24

      (5) A clear and concise description of any remediation services offered to affected

25

individuals including toll free numbers and websites to contact: (i) The credit reporting agencies;

26

(ii) Remediation service providers; (iii) The attorney general; and

27

      (6) A clear and concise description of the consumer's ability to file or obtain a police

28

report; how a consumer requests a security freeze and the necessary information to be provided

29

when requesting the security freeze; and that fees may be required to be paid to the consumer

30

reporting agencies.

31

     SECTION 2. This act shall take effect upon passage.

========

LC005082

========

 

LC005082 - Page 2 of 3

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO CRIMINAL OFFENSES - THE IDENTITY THEFT PROTECTION ACT OF

2015

***

1

     This act would reduce the time a person or governmental agency who stores personal

2

information has to disclose a breach of that information's security from forty-five (45) days to

3

fourteen (14) days and specifies that breaches affecting more than five hundred (500) people must

4

be reported to the Attorney General and the major credit bureaus within twenty-four (24) hours.

5

     This act would take effect upon passage.

========

LC005082

========

 

LC005082 - Page 3 of 3