2022 -- H 7883 | |
======== | |
LC004811 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2022 | |
____________ | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 | |
| |
Introduced By: Representatives Ruggiero, Craven, Hull, Williams, Morales, Ajello, | |
Date Introduced: March 04, 2022 | |
Referred To: House Innovation, Internet, & Technology | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Chapter 11-49.3 of the General Laws entitled "Identity Theft Protection Act |
2 | of 2015" is hereby amended by adding thereto the following section: |
3 | 11-49.3-7. Cybersecurity incident response group. |
4 | (a) The governor shall establish a cybersecurity incident response group, which shall |
5 | include the superintendent of the Rhode Island state police, or designee, adjutant general of the |
6 | Rhode Island national guard, or designee, director of the Rhode Island division of information |
7 | technology, or designee, director of the Rhode Island emergency management agency, or designee |
8 | and the secretary of state, or designee. |
9 | (b) The cybersecurity incident response group shall: |
10 | (1) Establish communication protocols in the event of a breach or an incident of |
11 | cybersecurity in any agency or public body. The protocols shall include, but not be limited to: |
12 | (i) A list of potential cybersecurity breaches or incidents that would require reporting; |
13 | (ii) State and local entities covered within the communication plan; |
14 | (iii) Mechanisms to communicate a cybersecurity breach or incidents in a timely manner |
15 | to members of the public and other relevant parties who may be affected by the breach; and |
16 | (iv) Primary contact at each agency or public body. |
17 | (c) The cybersecurity incident response group shall also establish long-term policy |
18 | planning and goals for the state regarding evolving cybersecurity threats and how to address them |
19 | in a coordinated manner. |
| |
1 | (d) The cybersecurity incident response group shall be subject to chapter 46 of title 42, |
2 | ("open meetings"), and chapter 2 of title 38, ("access to public records"). |
3 | SECTION 2. Sections 11-49.3-3 and 11-49.3-4 of the General Laws in Chapter 11-49.3 |
4 | entitled "Identity Theft Protection Act of 2015" is hereby amended to read as follows: |
5 | 11-49.3-3. Definitions. |
6 | (a) The following definitions apply to this section: |
7 | (1) "Breach of the security of the system" means unauthorized access or acquisition of |
8 | unencrypted, computerized data information that compromises the security, confidentiality, or |
9 | integrity of personal information maintained by the municipal agency, state agency, or person. |
10 | Good-faith acquisition of personal information by an employee or agent of the agency for the |
11 | purposes of the agency is not a breach of the security of the system; provided, that the personal |
12 | information is not used or subject to further unauthorized disclosure. |
13 | (2) "Encrypted" means the transformation of data through the use of a one hundred twenty- |
14 | eight (128) bit or higher algorithmic process into a form in which there is a low probability of |
15 | assigning meaning without use of a confidential process or key. Data shall not be considered to be |
16 | encrypted if it is acquired in combination with any key, security code, or password that would |
17 | permit access to the encrypted data. |
18 | (3) "Health insurance information" means an individual's health insurance policy number, |
19 | subscriber identification number, or any unique identifier used by a health insurer to identify the |
20 | individual. |
21 | (4) "Incident" means any action taken through the use of an information system or network |
22 | that results in an actual or potentially adverse effect on an information system, network, and/or the |
23 | information residing therein. |
24 | (4)(5) "Medical information" means any information regarding an individual's medical |
25 | history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional |
26 | or provider. |
27 | (5)(6) "Municipal agency" means any department, division, agency, commission, board, |
28 | office, bureau, authority, quasi-public authority, or school, fire, or water district within Rhode |
29 | Island, other than a state agency, and any other agency that is in any branch of municipal |
30 | government and exercises governmental functions other than in an advisory nature. |
31 | (6)(7) "Owner" means the original collector of the information. |
32 | (7)(8) "Person" shall include any individual, sole proprietorship, partnership, association, |
33 | corporation, joint venture, business, legal entity, trust, estate, cooperative, or other commercial |
34 | entity. |
| LC004811 - Page 2 of 6 |
1 | (8)(9) "Personal information" means an individual's first name or first initial and last name |
2 | in combination with any one or more of the following data elements, when the name and the data |
3 | elements are not encrypted or are in hard copy, paper format: |
4 | (i) Social security number; |
5 | (ii) Driver's license number, Rhode Island identification card number, or tribal |
6 | identification number; |
7 | (iii) Account number, credit, or debit card number, in combination with any required |
8 | security code, access code, password, or personal identification number, that would permit access |
9 | to an individual's financial account; |
10 | (iv) Medical or health insurance information; or |
11 | (v) E-mail address with any required security code, access code, or password that would |
12 | permit access to an individual's personal, medical, insurance, or financial account. |
13 | (9)(10) "Remediation service provider" means any person who or that, in the usual course |
14 | of business, provides services pertaining to a consumer credit report including, but not limited to, |
15 | credit report monitoring and alerts, that are intended to mitigate the potential for identity theft. |
16 | (10)(11) "State agency" means any department, division, agency, commission, board, |
17 | office, bureau, authority, or quasi-public authority within Rhode Island; either branch of the Rhode |
18 | Island general assembly or an agency or committee thereof; the judiciary; or any other agency that |
19 | is in any branch of Rhode Island state government and that exercises governmental functions other |
20 | than in an advisory nature. |
21 | (b) For purposes of this section, personal information does not include publicly available |
22 | information that is lawfully made available to the general public from federal, state, or local |
23 | government records. |
24 | (c) For purposes of this section, "notice" may be provided by one of the following methods: |
25 | (i) Written notice; |
26 | (ii) Electronic notice, if the notice provided is consistent with the provisions regarding |
27 | electronic records and signatures set forth in 15 U.S.C. § 7001; or |
28 | (iii) Substitute notice, if the municipal agency, state agency, or person demonstrates that |
29 | the cost of providing notice would exceed twenty-five thousand dollars ($25,000), or that the |
30 | affected class of subject persons to be notified exceeds fifty thousand (50,000), or the municipal |
31 | agency, state agency, or person does not have sufficient contact information. Substitute notice shall |
32 | consist of all of the following: |
33 | (A) E-mail notice when the municipal agency, state agency, or person has an e-mail address |
34 | for the subject persons; |
| LC004811 - Page 3 of 6 |
1 | (B) Conspicuous posting of the notice on the municipal agency's, state agency's or person's |
2 | website page, if the municipal agency, state agency, or person maintains one; and |
3 | (C) Notification to major statewide media. |
4 | 11-49.3-4. Notification of breach. |
5 | (a)(1) Any municipal agency, state agency, or person that stores, owns, collects, processes, |
6 | maintains, acquires, uses, or licenses data that includes personal information shall provide |
7 | notification as set forth in this section of any disclosure of personal information, or any breach of |
8 | the security of the system, that poses a significant risk of identity theft to any resident of Rhode |
9 | Island whose personal information was, or is reasonably believed to have been, acquired by an |
10 | unauthorized person or entity. |
11 | (2) The notification shall be made in the most expedient time possible, but no later than |
12 | forty-five (45) calendar days after confirmation of the breach and the ability to ascertain the |
13 | information required to fulfill the notice requirements contained in subsection (d) of this section, |
14 | and shall be consistent with the legitimate needs of law enforcement as provided in subsection (c) |
15 | of this section. In the event that more than five hundred (500) Rhode Island residents are to be |
16 | notified, the municipal agency, state agency, or person shall notify the attorney general and the |
17 | major credit reporting agencies as to the timing, content, and distribution of the notices and the |
18 | approximate number of affected individuals. Notification to the attorney general and the major |
19 | credit reporting agencies shall be made without delaying notice to affected Rhode Island residents. |
20 | (2) An initial notification shall be made in the most expedient time possible, but no later |
21 | than twenty-four (24) hours after confirmation of a cybersecurity incident or breach, to the |
22 | cybersecurity incident response group and the attorney general. Notification requirements |
23 | contained in subsection (d) of this section shall be made no later than fifteen (15) calendar days |
24 | after confirmation of a cybersecurity incident or breach. In all notification requirements, the |
25 | municipal agency, state agency, or person shall notify the attorney general and the major credit |
26 | reporting agencies as to the timing, content, and distribution of the notices and the approximate |
27 | number of affected individuals. Notification to the attorney general and the major credit reporting |
28 | agencies shall be made without delaying notice to affected Rhode Island residents. |
29 | (3) A secondary notification shall be made to the cybersecurity incident response group |
30 | and the attorney general which includes the full details of the agency’s informational technology |
31 | security and operational requirements employed to protect the agency’s data, including, but not |
32 | limited to, documentation and reporting of remedial or corrective action plans to address any |
33 | deficiencies in the information security policies, procedures, and practices of the agency. |
34 | (b) The notification required by this section may be delayed if a federal, state, or local law |
| LC004811 - Page 4 of 6 |
1 | enforcement agency determines that the notification will impede a criminal investigation. The |
2 | federal, state, or local law enforcement agency must notify the municipal agency, state agency, or |
3 | person of the request to delay notification without unreasonable delay. If notice is delayed due to |
4 | such determination, then, as soon as the federal, state, or municipal law enforcement agency |
5 | determines and informs the municipal agency, state agency, or person that notification no longer |
6 | poses a risk of impeding an investigation, notice shall be provided as soon as practicable pursuant |
7 | to subsection (a)(2). The municipal agency, state agency, or person shall cooperate with federal, |
8 | state, or municipal law enforcement in its investigation of any breach of security or unauthorized |
9 | acquisition or use, which shall include the sharing of information relevant to the incident; provided |
10 | however, that such disclosure shall not require the disclosure of confidential business information |
11 | or trade secrets. |
12 | (c) Any municipal agency, state agency, or person required to make notification under this |
13 | section and fails to do so is liable for a violation as set forth in § 11-49.3-5. |
14 | (d) The notification to individuals must include the following information to the extent |
15 | known: |
16 | (1) A general and brief description of the incident, including how the security breach |
17 | occurred and the number of affected individuals; |
18 | (2) The type of information that was subject to the breach; |
19 | (3) Date of breach, estimated date of breach, or the date range within which the breach |
20 | occurred; |
21 | (4) Date that the breach was discovered; |
22 | (5) A clear and concise description of any remediation services offered to affected |
23 | individuals including toll free numbers and websites to contact: (i) The credit reporting agencies; |
24 | (ii) Remediation service providers; (iii) The attorney general; and |
25 | (6) A clear and concise description of the consumer's ability to file or obtain a police report; |
26 | how a consumer requests a security freeze and the necessary information to be provided when |
27 | requesting the security freeze; and that fees may be required to be paid to the consumer reporting |
28 | agencies. |
29 | SECTION 3. This act shall take effect upon passage. |
======== | |
LC004811 | |
======== | |
| LC004811 - Page 5 of 6 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 | |
*** | |
1 | This act would create a cybersecurity incident response group that would promulgate |
2 | cybersecurity breach related protocols for agencies and public bodies, require immediate notice of |
3 | a breach within twenty-four (24) hours to the cybersecurity incident response group and the |
4 | attorney general, and notice to the affected individuals no later than fifteen (15) days after the |
5 | discovery of the breach. |
6 | This act would take effect upon passage. |
======== | |
LC004811 | |
======== | |
| LC004811 - Page 6 of 6 |