2019 -- S 0537

========

LC001768

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2019

____________

A N   A C T

RELATING TO COMMERCIAL LAW - GENERAL REGULATORY PROVISIONS -

INTERNET PRIVACY AND SECURITY

     

     Introduced By: Senators DiPalma, Seveney, Coyne, Valverde, and McKenney

     Date Introduced: March 14, 2019

     Referred To: Senate Commerce

     It is enacted by the General Assembly as follows:

1

     SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL

2

REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter:

3

CHAPTER 47.1

4

INTERNET PRIVACY AND SECURITY

5

     6-47.1-1. Short title.

6

     This chapter shall be known and may be cited as the "Internet Privacy and Security Act."

7

     6-47.1-2. Definitions.

8

     For purposes of this chapter, the following terms have the following meanings:

9

     (1) "Authentication" means a method of verifying the authority of a user, process, or

10

device to access resources in an information system.

11

     (2) "Connected device" means any device, or other physical object that is capable of

12

connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address

13

or Bluetooth address.

14

     (3) "Manufacturer" means the person who manufactures, or contracts with another person

15

to manufacture on the person's behalf, connected devices that are sold or offered for sale in Rhode

16

Island. For the purposes of this subsection, a contract with another person to manufacture on the

17

person's behalf does not include a contract only to purchase a connected device, or only to

18

purchase and brand a connected device.

 

1

     (4) "Security feature" means a feature of a device designed to provide security for that

2

device.

3

     (5) "Unauthorized access, destruction, use, modification, or disclosure" means access,

4

destruction, use, modification, or disclosure that is not authorized by the consumer.

5

     6-47.1-3. Manufacturers of connected devices.

6

     (a) A manufacturer of a connected device for sale or installation in this state, shall equip

7

the device with a reasonable security feature or features that are all of the following:

8

     (1) Appropriate to the nature and function of the device;

9

     (2) Appropriate to the information it may collect, contain, or transmit; and

10

     (3) Designed to protect the device and any information contained therein from

11

unauthorized access, destruction, use, modification, or disclosure.

12

     (b) Subject to all of the requirements of subsection (a) of this section, if a connected

13

device is equipped with a means for authentication outside a local area network, it shall be

14

deemed a reasonable security feature under subsection (a) of this section if either of the following

15

requirements are met:

16

     (1) The preprogrammed password is unique to each device manufactured; or

17

     (2) The device contains a security feature that requires a user to generate a new means of

18

authentication before access is granted to the device for the first time.

19

     6-47.1-4. Non-applications.

20

     (a) This chapter shall not be construed to:

21

     (1) Impose any duty upon the manufacturer of a connected device related to unaffiliated

22

third-party software or applications that a user chooses to add to a connected device;

23

     (2) Impose any duty upon a provider of an electronic store, gateway, marketplace, or

24

other means of purchasing or downloading software or applications, to review or enforce

25

compliance with this chapter;

26

     (3) Impose any duty upon the manufacturer of a connected device to prevent a user from

27

having full control over a connected device, including the ability to modify the software or

28

firmware running on the device at the user's discretion; or

29

     (4) Provide a basis for a private right of action. The attorney general shall have the

30

exclusive authority to enforce the provisions of this chapter.

31

     (b) This chapter shall not apply to any connected device the functionality of which is

32

subject to security requirements under federal law, regulations, or guidance promulgated by a

33

federal agency pursuant to its regulatory enforcement authority.

34

     (c) The duties and obligations imposed by this chapter are cumulative with any other

 

LC001768 - Page 2 of 4

1

duties or obligations imposed under other law, and shall not be construed to relieve any party

2

from any duties or obligations imposed under other law.

3

     (g) This chapter shall not be construed to limit the authority of a law enforcement agency

4

to obtain connected device information from a manufacturer as authorized by law or pursuant to

5

an order of a court of competent jurisdiction.

6

     (h) A covered entity, provider of health care, business associate, health care service plan,

7

contractor, employer, or any other person subject to the federal Health Insurance Portability and

8

Accountability Act of 1996 (HIPAA) (Pub. L. 104-191) or ยง 5-37.3-4 shall not be subject to this

9

chapter with respect to any activity regulated by those acts.

10

     SECTION 2. This act shall take effect on January 1, 2020.

========

LC001768

========

 

LC001768 - Page 3 of 4

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO COMMERCIAL LAW - GENERAL REGULATORY PROVISIONS -

INTERNET PRIVACY AND SECURITY

***

1

     This act would establish that manufacturers of devices capable of connecting to the

2

Internet equip the devices with reasonable security features.

3

     This act would take effect on January 1, 2020.

========

LC001768

========

 

LC001768 - Page 4 of 4