2020 -- H 7723 | |
======== | |
LC005062 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2020 | |
____________ | |
A N A C T | |
RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS -- | |
ESTABLISHING THE "CONSUMER PERSONAL DATA PROTECTION ACT OF 2020" | |
| |
Introduced By: Representatives Edwards, Shanley, Barros, Cassar, and Carson | |
Date Introduced: February 26, 2020 | |
Referred To: House Judiciary | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 6 of the General Laws entitled "COMMERCIAL LAW - GENERAL |
2 | REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter: |
3 | CHAPTER 48.1 |
4 | CONSUMER PERSONAL DATA PROTECTION ACT OF 2020 |
5 | 6-48.1-1. Short title. |
6 | This chapter shall be known and may be cited as the "Consumer Personal Data Protection |
7 | Act of 2020." |
8 | 6-48.1-2. Legislative findings and intent. |
9 | (a) The general assembly hereby finds that: |
10 | (1) It serves the best interest of the public to provide consumers with more information |
11 | about data brokers, and their data collection practices: |
12 | (i) While many different types of businesses collect data about consumers, a "data broker" |
13 | is in the business of aggregating and selling data about consumers with whom the business does |
14 | not have a direct relationship; |
15 | (ii) A data broker collects many hundreds or thousands of data points about consumers |
16 | from multiple sources, including: Internet browsing history; online purchases; public records; |
17 | location data; loyalty programs; and subscription information. The data broker then scrubs the data |
18 | to ensure accuracy; analyzes the data to assess content; and packages the data for sale to a third |
| |
1 | party; |
2 | (iii) Data brokers provide information that is critical to services offered in the modern |
3 | economy, including: targeted marketing and sales; credit reporting; background checks; |
4 | government information; risk mitigation and fraud detection; people search; decisions by banks, |
5 | insurers, or others whether to provide services; ancestry research; and voter targeting and strategy |
6 | by political campaigns; |
7 | (iv) While data brokers offer many benefits, there are also risks associated with the |
8 | widespread aggregation and sale of data about consumers, including risks related to consumers' |
9 | ability to know and control information held and sold about them and risks arising from the |
10 | unauthorized or harmful acquisition and use of consumer information; |
11 | (v) There are important differences between "data brokers" and businesses with whom |
12 | consumers have a direct relationship: |
13 | (A) Consumers who have a direct relationship with traditional and e-commerce businesses |
14 | may have some level of knowledge about and control over the collection of data by those |
15 | businesses, including: the choice to use the business's products or services; the ability to review |
16 | and consider data collection policies; the ability to opt-out of certain data collection practices; the |
17 | ability to identify and contact customer representatives; the ability to pursue contractual remedies |
18 | through litigation; and the knowledge necessary to file a complaint with law enforcement; |
19 | (B) By contrast, consumers may not be aware that data brokers exist, who the companies |
20 | are, or what information they collect, and may not be aware of available recourse; |
21 | (vi) The state of Rhode Island has the legal authority and duty to exercise its traditional |
22 | "police powers" to ensure the public health, safety, and welfare, which includes both the right to |
23 | regulate businesses that operate in the state and engage in activities that affect Rhode Island |
24 | consumers as well as the right to require disclosure of information to protect consumers from harm; |
25 | (vii) To provide consumers with necessary information about data brokers, Rhode Island |
26 | adopts a narrowly tailored definition of "data broker" and requires data brokers to register annually |
27 | with the secretary of state and provide information about their data collection activities, opt-out |
28 | policies, purchaser credentialing practices, and security breaches; |
29 | (2) The public interest requires that data brokers have adequate security standards: |
30 | (i) News headlines in the past several years demonstrate that large and sophisticated |
31 | businesses, governments, and other public and private institutions are constantly subject to |
32 | cyberattacks, which have compromised sensitive personal information of literally billions of |
33 | consumers worldwide; |
34 | (ii) While neither government nor industry can prevent every security breach, the state of |
| LC005062 - Page 2 of 19 |
1 | Rhode Island has the authority and the duty to enact legislation to protect its consumers where |
2 | possible; |
3 | (iii) One approach to protecting consumer data has been to require government agencies |
4 | and certain regulated businesses to adopt an "information security program" that has "appropriate |
5 | administrative, technical, and physical safeguards to ensure the security and confidentiality of |
6 | records" and "to protect against any anticipated threats or hazards to their security or integrity which |
7 | could result in substantial harm." Federal Privacy Act, 5 U.S.C. § 552a; |
8 | (iv) The requirement to adopt such an information security program currently applies to |
9 | "financial institutions" subject to the Gramm-Leach-Blilely Act, 15 U.S.C. § 6801 et seq, to persons |
10 | who maintain or transmit health information regulated by the Health Insurance Portability and |
11 | Accountability Act, and to various types of businesses under laws in at least thirteen (13) other |
12 | states; |
13 | (v) Rhode Island can better protect its consumers from data broker security breaches and |
14 | related harm by requiring data brokers to adopt an information security program with appropriate |
15 | administrative, technical, and physical safeguards to protect sensitive personal information; |
16 | (3) A need exists to prohibit the acquisition of personal information through fraudulent |
17 | means or with the intent to commit wrongful acts: |
18 | (i) One of the dangers of the broad availability of sensitive personal information is that it |
19 | can be used with malicious intent to commit wrongful acts, such as stalking, harassment, fraud, |
20 | discrimination, and identity theft; |
21 | (ii) While various criminal and civil statutes prohibit these wrongful acts, there is currently |
22 | no prohibition on acquiring data for the purpose of committing such acts; |
23 | (iii) Rhode Island hereby creates new causes of action to prohibit the acquisition of |
24 | personal information through fraudulent means, or for the purpose of committing a wrongful act, |
25 | to enable authorities and consumers to take action; |
26 | (4) The removal of financial barriers will protect consumer credit information: |
27 | (i) In one of several major security breaches that have occurred in recent years, the names, |
28 | social security numbers, birth dates, addresses, driver's license numbers, and credit card numbers |
29 | of over one hundred forty-five million (145,000,000) Americans were exposed, including citizens |
30 | of Rhode Island; |
31 | (ii) In response to concerns about data security, identity theft, and consumer protection, |
32 | one important step a consumer can take is to place a security freeze on their credit file with each of |
33 | the national credit reporting agencies; |
34 | (iii) Pursuant to § 6-48-5, when a consumer places a security freeze, a credit reporting |
| LC005062 - Page 3 of 19 |
1 | agency issues a unique personal identification number (PIN) or password to the consumer. The |
2 | consumer must provide the PIN or password, and their express consent, to allow a potential creditor |
3 | to access their credit information; |
4 | (iv) Rhode Island prohibits these fees to eliminate any financial barrier to placing or |
5 | removing a security freeze. |
6 | (b) The intent of the general assembly is the protection of consumer personal data by: |
7 | (1) Providing consumers with more information about data brokers, their data collection |
8 | practices, and the right to opt-out. It is the intent of the general assembly to provide citizens of |
9 | Rhode Island with access to more information about the data brokers that collect consumer data |
10 | and their collection practices by: |
11 | (i) Adopting a narrowly tailored definition of "data broker" that: |
12 | (A) Includes only those businesses that aggregate and sell the personal information of |
13 | consumers with whom they do not have a direct relationship; and |
14 | (B) Excludes businesses that collect information from their own customers, employees, |
15 | users, or donors, including: banks and other financial institutions; utilities; insurers; retailers and |
16 | grocers; restaurants and hospitality businesses; social media websites and mobile "apps"; search |
17 | websites; and businesses that provide services for consumer-facing businesses and maintain a direct |
18 | relationship with those consumers, such as a website, "app," and e-commerce platforms; and |
19 | (ii) Requiring a data broker to register annually with the secretary of state and make certain |
20 | disclosures in order to provide consumers, policy makers, and regulators with relevant information; |
21 | (2) Ensuring that data brokers have adequate security standards. It is the intent of the |
22 | general assembly to protect against potential cyber threats by requiring data brokers to adopt an |
23 | information security program with appropriate technical, physical, and administrative safeguards; |
24 | (3) Prohibiting the acquisition of personal information with the intent to commit wrongful |
25 | acts. It is the intent of the general assembly to protect citizens of Rhode Island from potential harm |
26 | by creating new causes of action that prohibit the acquisition or use of personal information for the |
27 | purpose of stalking, harassment, fraud, identity theft, or discrimination; and |
28 | (4) Removing financial barriers to protect consumer credit information. It is the intent of |
29 | the general assembly to remove any financial barrier for citizens of Rhode Island who intend to |
30 | place a security freeze on their credit report by prohibiting credit reporting agencies from charging |
31 | a fee to place or remove a freeze. |
32 | 6-48.1-3. Definitions. |
33 | As used in this chapter: |
34 | (1) "Brokered personal information" means one or more of the following computerized |
| LC005062 - Page 4 of 19 |
1 | data elements about a consumer, if categorized or organized for dissemination to third parties: |
2 | (i) Name; |
3 | (ii) Address; |
4 | (iii) Date of birth; |
5 | (iv) Place of birth; |
6 | (v) Mother's maiden name; |
7 | (vi) Unique biometric data generated from measurements or technical analysis of human |
8 | body characteristics used by the owner or licensee of the data to identify or authenticate the |
9 | consumer, such as a fingerprint, retina or iris image, or other unique physical representation or |
10 | digital representation of biometric data; |
11 | (vii) Name or address of a member of the consumer's immediate family or household; |
12 | (viii) Social security number or other government-issued identification number; or |
13 | (ix) Other information that, alone or in combination with the other information sold or |
14 | licensed, would allow a reasonable person to identify the consumer with reasonable certainty; |
15 | however, it does not include publicly available information to the extent that it is related to a |
16 | consumer's business or profession; |
17 | (2) "Business" means a commercial entity, including a sole proprietorship, partnership, |
18 | corporation, association, limited liability company, or other group, however organized and whether |
19 | or not organized to operate at a profit, including a financial institution organized, chartered, or |
20 | holding a license or authorization certificate under the laws of the state of Rhode Island, any other |
21 | state, the United States, or any other country, or the parent, affiliate, or subsidiary of a financial |
22 | institution, but does not include the state of Rhode Island, a state agency, any political subdivision |
23 | of the state of Rhode Island, or a vendor acting solely on behalf of, and at the direction of, the state |
24 | of Rhode Island; |
25 | (3) "Consumer" means an individual residing in this state; |
26 | (4)(i) "Data broker" means a business, or unit or units of a business, separately or together, |
27 | that knowingly collects and sells or licenses to third parties the brokered personal information of a |
28 | consumer with whom the business does not have a direct relationship; |
29 | (ii) Examples of a direct relationship with a business include if the consumer is a past or |
30 | present: |
31 | (A) Customer, client, subscriber, user, or registered user of the business's goods or services; |
32 | (B) Employee, contractor, or agent of the business; |
33 | (C) Investor in the business; or |
34 | (D) Donor to the business. |
| LC005062 - Page 5 of 19 |
1 | (iii) The following activities conducted by a business, and the collection and sale or |
2 | licensing of brokered personal information incidental to conducting these activities, do not qualify |
3 | the business as a data broker: |
4 | (A) Developing or maintaining third-party e-commerce or application platforms; |
5 | (B) Providing 411 directory assistance or directory information services, including name, |
6 | address, and telephone number, on behalf of or as a function of a telecommunications carrier; |
7 | (C) Providing publicly available information related to a consumer's business or |
8 | profession; or |
9 | (D) Providing publicly available information via real-time or near-real-time alert services |
10 | for health or safety purposes; |
11 | (iv) The phrase "sells or licenses" does not include: |
12 | (A) A one-time or occasional sale of assets of a business as part of a transfer of control of |
13 | those assets that is not part of the ordinary conduct of the business; or |
14 | (B) A sale or license of data that is merely incidental to the business; |
15 | (5)(i) "Data broker security breach" means an unauthorized acquisition or a reasonable |
16 | belief of an unauthorized acquisition of more than one element of brokered personal information |
17 | maintained by a data broker when the brokered personal information is not encrypted, redacted, or |
18 | protected by another method that renders the information unreadable or unusable by an |
19 | unauthorized person; |
20 | (ii) "Data broker security breach" does not include good faith but unauthorized acquisition |
21 | of brokered personal information by an employee or agent of the data broker for a legitimate |
22 | purpose of the data broker, provided that the brokered personal information is not used for a purpose |
23 | unrelated to the data broker's business or subject to further unauthorized disclosure; |
24 | (iii) In determining whether brokered personal information has been acquired or is |
25 | reasonably believed to have been acquired by a person without valid authorization, a data broker |
26 | may consider the following factors, among others: |
27 | (A) Indications that the brokered personal information is in the physical possession and |
28 | control of a person without valid authorization, such as a lost or stolen computer or other device |
29 | containing brokered personal information; |
30 | (B) Indications that the brokered personal information has been downloaded or copied; |
31 | (C) Indications that the brokered personal information was used by an unauthorized person, |
32 | such as fraudulent accounts opened or instances of identity theft reported; or |
33 | (D) That the brokered personal information has been made public; |
34 | (6) "Data collector" means a person who, for any purpose, whether by automated collection |
| LC005062 - Page 6 of 19 |
1 | or otherwise, handles, collects, disseminates, or otherwise deals with personally identifiable |
2 | information, and includes the state of Rhode Island, state agencies, political subdivisions of the |
3 | state, public and private universities, privately and publicly held corporations, limited liability |
4 | companies, financial institutions, and retail operators; |
5 | (7) "Encryption" or "Encrypted" means the transformation of data through the use of a one |
6 | hundred twenty-eight (128) bit or higher algorithmic process into a form in which there is a low |
7 | probability of assigning meaning without use of a confidential process or key. Data shall not be |
8 | considered to be encrypted if it is acquired in combination with any key, security code, or password |
9 | that would permit access to the encrypted data. These terms shall also mean any security solution, |
10 | other than a one hundred twenty-eight (128) bit or higher algorithmic process that provides the |
11 | same degree or higher degree of security; |
12 | (8) "License" means a grant of access to, or distribution of, data by one person to another |
13 | in exchange for consideration. A use of data for the sole benefit of the data provider, where the data |
14 | provider maintains control over the use of the data, is not a license; |
15 | (9) "Personally identifiable information" or "personal information" means an individual's |
16 | first name or first initial and last name in combination with any one or more of the following data |
17 | elements, when the name and the data elements are not encrypted or are in hard copy, paper format: |
18 | (i) Social security number; |
19 | (ii) Driver's license number, passport number, Rhode Island identification card number, or |
20 | tribal identification number; |
21 | (iii) Account number, credit, or debit card number, in combination with any required |
22 | security code, access code, password, or personal identification number, that would permit access |
23 | to an individual's financial account; |
24 | (iv) Medical or health insurance information; or |
25 | (v) E-mail address with any required security code, access code, or password that would |
26 | permit access to an individual's personal, medical, insurance, or financial account. |
27 | (10) "Record" means any material on which written, drawn, spoken, visual, or |
28 | electromagnetic information is recorded or preserved, regardless of physical form or |
29 | characteristics; |
30 | (11) "Redaction" means the rendering of data in a form that renders the data unreadable or |
31 | is truncated resulting in no more than the last four (4) digits of the identification number are |
32 | accessible as part of the data; |
33 | (12)(i) "Security breach" means unauthorized acquisition of electronic data, or a reasonable |
34 | belief of an unauthorized acquisition of, electronic data that compromises the security, |
| LC005062 - Page 7 of 19 |
1 | confidentiality, or integrity of a consumer's personally identifiable information maintained by a |
2 | data collector; |
3 | (ii) "Security breach" does not include good faith but unauthorized acquisition of |
4 | personally identifiable information by an employee or agent of the data collector for a legitimate |
5 | purpose of the data collector, provided that the personally identifiable information is not used for a |
6 | purpose unrelated to the data collector's business or subject to further unauthorized disclosure; |
7 | (iii) In determining whether personally identifiable information has been acquired or is |
8 | reasonably believed to have been acquired by a person without valid authorization, a data collector |
9 | may consider the following factors, among others: |
10 | (A) Indications that the information is in the physical possession and control of a person |
11 | without valid authorization, such as a lost or stolen computer or other device containing |
12 | information; |
13 | (B) Indications that the information has been downloaded or copied; |
14 | (C) Indications that the information was used by an unauthorized person, such as fraudulent |
15 | accounts opened or instances of identity theft reported; or |
16 | (D) That the information has been made public. |
17 | 6-48.1-4. Restricted acquisition of brokered personal information. |
18 | (a) Prohibited acquisition and use: |
19 | (1) A person shall not acquire brokered personal information through fraudulent means; |
20 | (2) A person shall not acquire or use brokered personal information for the purpose of: |
21 | (i) Stalking or harassing another person; |
22 | (ii) Committing a fraud, including identity theft, financial fraud, or email fraud; or |
23 | (iii) Engaging in unlawful discrimination, including employment discrimination and |
24 | housing discrimination. |
25 | (b) Promulgation of rules and prohibited practices: |
26 | (1) A person who violates a provision of this section commits a deceptive trade practice in |
27 | violation of chapter 13.1 of title 6; |
28 | (2) The director of the department of business regulations shall promulgate rules to |
29 | implement the provisions of this chapter. |
30 | 6-48.1-5. Annual registration. |
31 | (a) Annually, on or before January 31 following a year in which a person meets the |
32 | definition of data broker as provided in this chapter, the data broker shall: |
33 | (1) Register with the secretary of state; |
34 | (2) Pay a registration fee of one hundred dollars ($100); and |
| LC005062 - Page 8 of 19 |
1 | (3) Provide the following information: |
2 | (i) The name and primary physical, email, and Internet address(es) of the data broker; |
3 | (ii) If the data broker permits a consumer to opt-out of the data broker's collection of |
4 | brokered personal information, opt-out of its databases, or opt-out of certain sales of data: |
5 | (A) The method for requesting an opt-out; |
6 | (B) If the opt-out applies to only certain activities or sales, identification of which ones; |
7 | and |
8 | (C) Whether the data broker permits a consumer to authorize a third party to perform the |
9 | opt-out on the consumer's behalf; |
10 | (iii) A statement specifying the data collection, databases, or sales activities from which a |
11 | consumer may not opt-out; |
12 | (iv) A statement whether the data broker implements a purchaser credentialing process; |
13 | (v) The number of data broker security breaches that the data broker has experienced during |
14 | the prior year, and if known, the total number of consumers affected by the breaches; |
15 | (vi) Where the data broker has actual knowledge that it possesses the brokered personal |
16 | information of minors, a separate statement detailing the data collection practices, databases, sales |
17 | activities, and opt-out policies that are applicable to the brokered personal information of minors; |
18 | and |
19 | (vii) Any additional information or explanation the data broker chooses to provide |
20 | concerning its data collection practices. |
21 | (b) A data broker that fails to register pursuant to subsection (a) of this section is liable for: |
22 | (1) A civil penalty of fifty dollars ($50.00) for each day, not to exceed a total of ten |
23 | thousand dollars ($10,000) for each year, it fails to register pursuant to this section; |
24 | (2) An amount equal to the fees due under this section during the period it failed to register |
25 | pursuant to this section; and |
26 | (3) Other penalties imposed by law. |
27 | (c) The attorney general may maintain an action in superior court to collect the penalties |
28 | imposed in this section and to seek appropriate injunctive relief. |
29 | 6-48.1-6. Duty to protect information. |
30 | (a) Duty to protect personally identifiable information: |
31 | (1) A data broker shall develop, implement, and maintain a comprehensive information |
32 | security program that is written in one or more readily accessible parts and contains administrative, |
33 | technical, and physical safeguards that are appropriate to: |
34 | (i) The size, scope, and type of business of the data broker obligated to safeguard the |
| LC005062 - Page 9 of 19 |
1 | personally identifiable information under such comprehensive information security program; |
2 | (ii) The amount of resources available to the data broker; |
3 | (iii) The amount of stored data; and |
4 | (iv) The need for security and confidentiality of personally identifiable information; |
5 | (2) A data broker subject to this chapter shall adopt safeguards in the comprehensive |
6 | security program that are consistent with the safeguards for protection of personally identifiable |
7 | information and information of a similar character set forth in other state rules or federal regulations |
8 | applicable to the data broker. |
9 | (b) Information security program - minimum features. A comprehensive information |
10 | security program shall at minimum have the following features: |
11 | (1) Designation of one or more employees to maintain the program; |
12 | (2) Identification and assessment of reasonably foreseeable internal and external risks to |
13 | the security, confidentiality, and integrity of any electronic, paper, or other records containing |
14 | personally identifiable information, and a process for evaluating and improving, where necessary, |
15 | the effectiveness of the current safeguards for limiting such risks, including: |
16 | (i) Ongoing employee training, including training for temporary and contract employees; |
17 | (ii) Employee compliance with policies and procedures; and |
18 | (iii) Means for detecting and preventing security system failures; |
19 | (3) Security policies for employees relating to the storage, access, and transportation of |
20 | records containing personally identifiable information outside business premises; |
21 | (4) Disciplinary measures for violations of the comprehensive information security |
22 | program rules; |
23 | (5) Measures that prevent terminated employees from accessing records containing |
24 | personally identifiable information; |
25 | (6) Supervision of service providers, by: |
26 | (i) Taking reasonable steps to select and retain third-party service providers that are capable |
27 | of maintaining appropriate security measures to protect personally identifiable information |
28 | consistent with applicable law; and |
29 | (ii) Requiring third-party service providers by contract to implement and maintain |
30 | appropriate security measures for personally identifiable information; |
31 | (7) Reasonable restrictions upon physical access to records containing personally |
32 | identifiable information and storage of the records and data in locked facilities, storage areas, or |
33 | containers; |
34 | (8)(i) Regular monitoring to ensure that the comprehensive information security program |
| LC005062 - Page 10 of 19 |
1 | is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized |
2 | use of personally identifiable information; and |
3 | (ii) Upgrading information safeguards as necessary to limit risks; |
4 | (9) Regular review of the scope of the security measures: |
5 | (i) At least annually; or |
6 | (ii) Whenever there is a material change in business practices that may reasonably affect |
7 | the security or integrity of records containing personally identifiable information; and |
8 | (10)(i) Documentation of responsive actions taken in connection with any incident |
9 | involving a breach of security; and |
10 | (ii) Mandatory post-incident review of events and actions taken, if any, to make changes |
11 | in business practices relating to protection of personally identifiable information. |
12 | (c) Information security program; computer system security requirements. A |
13 | comprehensive information security program required by this section shall at minimum, and to the |
14 | extent technically feasible, have the following elements: |
15 | (1) Secure user authentication protocols, as follows: |
16 | (i) An authentication protocol that has the following features: |
17 | (A) Control of user identifications and other identifiers; |
18 | (B) A reasonably secure method of assigning and selecting passwords or use of unique |
19 | identifier technologies, such as biometrics or token devices; |
20 | (C) Control of data security passwords to ensure that such passwords are kept in a location |
21 | and format that do not compromise the security of the protected data; |
22 | (D) Restricting access to only active users and active user accounts; and |
23 | (E) Blocking access to user identification after multiple unsuccessful attempts to gain |
24 | access; or |
25 | (ii) An authentication protocol that provides a higher level of security than the features |
26 | specified in this subsection. |
27 | (2) Secure access control measures that: |
28 | (i) Restrict access to records and files containing personally identifiable information to |
29 | those who need such information to perform their job duties; and |
30 | (ii) Assign to each person with computer access unique identifications plus passwords, |
31 | which are not vendor-supplied default passwords, that are reasonably designed to maintain the |
32 | integrity of the security of the access controls or a protocol that provides a higher degree of security; |
33 | (3) Encryption of all transmitted records and files containing personally identifiable |
34 | information that will travel across public networks and encryption of all data containing personally |
| LC005062 - Page 11 of 19 |
1 | identifiable information to be transmitted wirelessly or a protocol that provides a higher degree of |
2 | security; |
3 | (4) Reasonable monitoring of systems for unauthorized use of or access to personally |
4 | identifiable information; |
5 | (5) Encryption of all personally identifiable information stored on laptops or other portable |
6 | devices or a protocol that provides a higher degree of security; |
7 | (6) For files containing personally identifiable information on a system that is connected |
8 | to the Internet, reasonably up-to-date firewall protection and operating system security patches that |
9 | are reasonably designed to maintain the integrity of the personally identifiable information or a |
10 | protocol that provides a higher degree of security; |
11 | (7) Reasonably up-to-date versions of system security agent software that must include |
12 | malware protection and reasonably up-to-date patches and virus definitions, or a version of such |
13 | software that can still be supported with up-to-date patches and virus definitions and is set to receive |
14 | the most current security updates on a regular basis or a protocol that provides a higher degree of |
15 | security; and |
16 | (8) Education and training of employees on the proper use of the computer security system |
17 | and the importance of personally identifiable information security. |
18 | (d) Enforcement. |
19 | (1) A person who violates a provision of this chapter commits a deceptive trade practice in |
20 | violation of chapter 13.1 of title 6. |
21 | (2) The attorney general has the authority to conduct civil investigations, and bring civil |
22 | actions as provided in § 6-13.1-5. |
23 | (3) Nothing in this chapter shall be construed to authorize any private right of action to |
24 | enforce any provision of this chapter, any regulation hereunder, or any other provisions of |
25 | commercial law in title 6. |
26 | 6-48.1-7. Disclosure to consumers. |
27 | (a) A credit reporting agency shall, upon request and proper identification of any consumer, |
28 | clearly and accurately disclose to the consumer all information available to users at the time of the |
29 | request pertaining to the consumer, including: |
30 | (1) Any credit score or predictor relating to the consumer, in a form and manner that |
31 | complies with such comments or guidelines as may be issued by the Federal Trade Commission; |
32 | (2) The names of users requesting information pertaining to the consumer during the prior |
33 | twelve (12) month period and the date of each request; and |
34 | (3) A clear and concise explanation of the information. |
| LC005062 - Page 12 of 19 |
1 | (b) As frequently as new telephone directories are published, the credit reporting agency |
2 | shall cause to be listed its name and number in each telephone directory published to serve |
3 | communities of this state. In accordance with rules adopted by the attorney general, the credit |
4 | reporting agency shall make provision for consumers to request by telephone the information |
5 | required to be disclosed pursuant to subsection (a) of this section at no cost to the consumer. |
6 | (c) Any time a credit reporting agency is required to make a written disclosure to consumers |
7 | pursuant to 15 U.S.C. § 1681g, it shall disclose, in at least twelve (12) point type, and in bold type |
8 | as indicated, the following notice: |
9 | "NOTICE TO RHODE ISLAND CONSUMERS |
10 | You are allowed to receive one free copy of your credit report every twelve (12) months |
11 | from each credit reporting agency. |
12 | Under Rhode Island law, no one may access your credit report without your permission |
13 | except under the following limited circumstances: |
14 | (1) In response to a court order; |
15 | (2) For direct mail offers of credit; |
16 | (3) If you have given ongoing permission and you have an existing relationship with the |
17 | person requesting a copy of your credit report; |
18 | (4) Where the request for a credit report is related to an education loan made, guaranteed, |
19 | or serviced by the Rhode Island student loan authority; |
20 | (5) Where the request for a credit report is by the office of child support services when |
21 | investigating a child support case; |
22 | (6) Where the request for a credit report is related to a credit transaction entered into prior |
23 | to January 1, 1993; and/or |
24 | (7) Where the request for a credit report is by the Rhode Island division of taxation and is |
25 | used for the purpose of collecting or investigating delinquent taxes. |
26 | If you believe a law regulating consumer credit reporting has been violated, you may file |
27 | a complaint with the state of Rhode Island attorney general. |
28 | Consumers Have the Right to Obtain a Security Freeze. |
29 | You have a right to place a "security freeze" on your credit report pursuant to Rhode Island |
30 | general laws § 6-48-5 at no charge. The security freeze will prohibit a credit reporting agency from |
31 | releasing any information in your credit report without your express authorization. A security freeze |
32 | must be requested in writing by certified mail. |
33 | The security freeze is designed to help prevent credit, loans, and services from being |
34 | approved in your name without your consent. However, you should be aware that using a security |
| LC005062 - Page 13 of 19 |
1 | freeze to take control over who gains access to the personal and financial information in your credit |
2 | report may delay, interfere with, or prohibit the timely approval of any subsequent request or |
3 | application you make regarding new loans, credit, mortgage, insurance, government services or |
4 | payments, rental housing, employment, investment, license, cellular phone, utilities, digital |
5 | signature, Internet credit card transaction, or other services, including an extension of credit at point |
6 | of sale. |
7 | When you place a security freeze on your credit report, within ten (10) business days you |
8 | will be provided a personal identification number, password, or other equally or more secure |
9 | method of authentication to use if you choose to remove the freeze on your credit report or authorize |
10 | the release of your credit report for a specific party, parties, or period of time after the freeze is in |
11 | place. To provide that authorization, you must contact the credit reporting agency and provide all |
12 | of the following: |
13 | (1) The unique personal identification number or, password, or other method of |
14 | authentication provided by the credit reporting agency; |
15 | (2) Proper identification to verify your identity; and |
16 | (3) The proper information regarding the third party or parties who are to receive the credit |
17 | report or the period of time for which the report shall be available to users of the credit report. |
18 | A credit reporting agency may not charge a fee to remove the freeze on your credit report |
19 | or authorize the release of your credit report for a specific party, parties, or period of time after the |
20 | freeze is in place. |
21 | Pursuant to § 6-48-5(a)(9), a credit reporting agency that receives a request from a |
22 | consumer to lift temporarily a freeze on a credit report shall comply with the request no later than |
23 | three (3) business days after receiving the request. |
24 | A security freeze will not apply to "preauthorized approvals of credit." |
25 | A security freeze does not apply to a person or entity, or its affiliates, or collection agencies |
26 | acting on behalf of the person or entity with which you have an existing account that requests |
27 | information in your credit report for the purposes of reviewing or collecting the account, provided |
28 | you have previously given your consent to this use of your credit reports. Reviewing the account |
29 | includes activities related to account maintenance, monitoring, credit line increases, and account |
30 | upgrades and enhancements. |
31 | You have a right to bring a civil action against someone who violates your rights under the |
32 | credit reporting laws. The action can be brought against a credit reporting agency or a user of your |
33 | credit report. |
34 | (d) The information required to be disclosed by this section shall be disclosed in writing. |
| LC005062 - Page 14 of 19 |
1 | The information required to be disclosed pursuant to subsection (c) of this section shall be disclosed |
2 | on one side of a separate document, with text no smaller than that prescribed by the Federal Trade |
3 | Commission for the notice required under 15 U.S.C. § 1681g. The information required to be |
4 | disclosed pursuant to subsection (c) of this section may accurately reflect changes in numerical |
5 | items that change over time (such as the telephone number or address of Rhode Island state |
6 | agencies), and remain in compliance. |
7 | (e) The director of the department of business regulation may revise this required notice by |
8 | rule as appropriate from time to time so long as no new substantive rights are created therein. |
9 | 6-48.1-8. Security freeze requirements. |
10 | (a)(1) A Rhode Island consumer may place a security freeze on their credit report. A credit |
11 | reporting agency shall not charge a fee to Rhode Island consumers for placing or removing, |
12 | removing for a specific party or parties, or removing for a specific period of time after the freeze is |
13 | in place, a security freeze on a credit report. |
14 | (2) A consumer may place a security freeze on their credit report by making a request in |
15 | writing by certified mail to a credit reporting agency. |
16 | (3) A security freeze shall prohibit, subject to the exceptions in this chapter and § 6-48-5, |
17 | the credit reporting agency from releasing the consumer's credit report or any information from it |
18 | without the express authorization of the consumer. |
19 | (4) This subsection does not prevent a credit reporting agency from advising a third party |
20 | that a security freeze is in effect with respect to the consumer's credit report. |
21 | (b) A credit reporting agency shall place a security freeze on a consumer's credit report not |
22 | later than five (5) business days after receiving a written request from the consumer. |
23 | (c) The credit reporting agency shall send a written confirmation of the security freeze to |
24 | the consumer within ten (10) business days and shall provide the consumer with a unique personal |
25 | identification number or password, other than the customer's social security number, or another |
26 | method of authentication that is equally or more secure than a personal identification number (PIN) |
27 | or password, to be used by the consumer when providing authorization for the release of their credit |
28 | for a specific party, parties, or period of time. |
29 | (d) If the consumer authorizes their credit report to be accessed for a specific party, parties, |
30 | or period of time while a freeze is in place, they shall contact the credit reporting agency, request |
31 | that the freeze be temporarily lifted, and provide the following: |
32 | (1) Proper identification; |
33 | (2) The unique personal identification number or, password, or other method of |
34 | authentication provided by the credit reporting agency pursuant to subsection (c) of this section; |
| LC005062 - Page 15 of 19 |
1 | and |
2 | (3) The proper information regarding the third party, parties, or time period for which the |
3 | report shall be available to users of the credit report. |
4 | (e) A credit reporting agency may develop procedures involving the use of telephone, fax, |
5 | the Internet, or other electronic media to receive and process a request from a consumer to lift |
6 | temporarily a freeze on a credit report pursuant to subsection (d) of this section in an expedited |
7 | manner. |
8 | (f) A credit reporting agency that receives a request from a consumer to lift temporarily a |
9 | freeze on a credit report pursuant to subsection (d) of this section shall comply with the request not |
10 | later than three (3) business days after receiving the request. |
11 | (g) A credit reporting agency shall remove or lift temporarily a freeze placed on a |
12 | consumer's credit report only in the following cases: |
13 | (1) Upon consumer request, pursuant to subsection (d) or (j) of this section. |
14 | (2) If the consumer's credit report was frozen due to a material misrepresentation of fact by |
15 | the consumer. If a credit reporting agency intends to remove a freeze upon a consumer's credit |
16 | report pursuant to this subsection, the credit reporting agency shall notify the consumer in writing |
17 | prior to removing the freeze on the consumer's credit report. |
18 | (h) If a third party requests access to a credit report on which a security freeze is in effect |
19 | and this request is in connection with an application for credit or any other use and the consumer |
20 | does not allow their credit report to be accessed for that specific party or period of time, the third |
21 | party may treat the application as incomplete. |
22 | (i) If a consumer requests a security freeze pursuant to § 6-48-5, the credit reporting agency |
23 | shall disclose to the consumer the process of placing and lifting temporarily a security freeze and |
24 | the process for allowing access to information from the consumer's credit report for a specific party, |
25 | parties, or period of time while the security freeze is in place. |
26 | (j) A security freeze shall remain in place until the consumer requests that the security |
27 | freeze be removed. A credit reporting agency shall remove a security freeze within three (3) |
28 | business days of receiving a request for removal from the consumer who provides both of the |
29 | following: |
30 | (1) Proper identification; and |
31 | (2) The unique personal identification number, password, or other method of authentication |
32 | provided by the credit reporting agency pursuant to § 6-48-5. |
33 | (k) A credit reporting agency shall require proper identification of the person making a |
34 | request to place or remove a security freeze. |
| LC005062 - Page 16 of 19 |
1 | (l) The provisions of this section, including the security freeze, do not apply to the use of a |
2 | consumer report by the following: |
3 | (1) A person, or the person's subsidiary, affiliate, agent, or assignee with which the |
4 | consumer has or, prior to assignment, had an account, contract, or debtor-creditor relationship for |
5 | the purposes of reviewing the account or collecting the financial obligation owing for the account, |
6 | contract, or debt, or extending credit to a consumer with a prior or existing account, contract, or |
7 | debtor-creditor relationship. For purposes of this subsection, "reviewing the account" includes |
8 | activities related to account maintenance, monitoring, credit line increases, and account upgrades |
9 | and enhancements. |
10 | (2) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom |
11 | access has been granted under subsection (d) of this section for purposes of facilitating the |
12 | extension of credit or other permissible use. |
13 | (3) Any person acting pursuant to a court order, warrant, or subpoena. |
14 | (4) The office of child support services when investigating a child support case. |
15 | (5) The medical fraud and patient abuse unit of the department of the attorney general or |
16 | its agents or assignee acting to investigate welfare or Medicaid fraud. |
17 | (6) The division of taxation, municipal taxing authorities, or the department of motor |
18 | vehicles, or any of their agents or assignees, acting to investigate or collect delinquent taxes or |
19 | assessments, including interest and penalties, unpaid court orders, or acting to fulfill any of their |
20 | other statutory or charter responsibilities. |
21 | (7) A person's use of credit information for the purposes of prescreening as provided by |
22 | the federal Fair Credit Reporting Act. |
23 | (8) Any person for the sole purpose of providing a credit file monitoring subscription |
24 | service to which the consumer has subscribed. |
25 | (9) A credit reporting agency for the sole purpose of providing a consumer with a copy of |
26 | their credit report upon the consumer's request. |
27 | (10) Any property and casualty insurance company for use in setting or adjusting a rate or |
28 | underwriting for property and casualty insurance purposes. |
29 | 6-48.1-9. One-stop freeze notification report. |
30 | (a) The director of the department of business regulation, in consultation with industry |
31 | stakeholders, shall consider one or more methods to ease the burden on consumers when placing |
32 | or lifting a credit security freeze, including the right to place a freeze with a single nationwide credit |
33 | reporting agency and require that agency to initiate a freeze with other agencies. |
34 | (b) On or before January 15, 2022, the director of the department of business regulation |
| LC005062 - Page 17 of 19 |
1 | shall report their findings and recommendations to the governor, speaker of the house, and president |
2 | of the senate. |
3 | 6-48.1-10. Construction. |
4 | Nothing in this chapter shall be deemed to apply in any manner to any information or data |
5 | that is subject to the Federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated under |
6 | that act, or to information or data subject to the Health Insurance Portability and Accountability |
7 | Act of 1996 (HIPAA); provided, however, no entity or individual shall be exempt from the |
8 | provisions of this chapter. |
9 | SECTION 2. This act shall take effect on January 1, 2021. |
======== | |
LC005062 | |
======== | |
| LC005062 - Page 18 of 19 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO COMMERCIAL LAW -- GENERAL REGULATORY PROVISIONS -- | |
ESTABLISHING THE "CONSUMER PERSONAL DATA PROTECTION ACT OF 2020" | |
*** | |
1 | This act would regulate data brokers. Data brokers would be required to annually register; |
2 | to provide substantive notifications to consumers; and to adopt comprehensive data security |
3 | programs. |
4 | This act would take effect on January 1, 2021. |
======== | |
LC005062 | |
======== | |
| LC005062 - Page 19 of 19 |