2023 -- H 5684 SUBSTITUTE A | |
======== | |
LC000194/SUB A/2 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2023 | |
____________ | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 | |
| |
Introduced By: Representatives Cortvriend, Fogarty, Tanzi, Phillips, Edwards, Solomon, | |
Date Introduced: February 17, 2023 | |
Referred To: House Innovation, Internet, & Technology | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Sections 11-49.3-3 and 11-49.3-4 of the General Laws in Chapter 11-49.3 |
2 | entitled "Identity Theft Protection Act of 2015" are hereby amended to read as follows: |
3 | 11-49.3-3. Definitions. |
4 | (a) The following definitions apply to this section: |
5 | (1) “Breach of the security of the system” means unauthorized access or acquisition of |
6 | unencrypted, computerized data information that compromises the security, confidentiality, or |
7 | integrity of personal information maintained by the municipal agency, state agency, or person. |
8 | Good-faith acquisition of personal information by an employee or agent of the agency for the |
9 | purposes of the agency is not a breach of the security of the system; provided, that the personal |
10 | information is not used or subject to further unauthorized disclosure. |
11 | (2) “Classified data” means any data that is not public (private, sensitive, confidential). |
12 | Classified data requires additional security controls, such as access restrictions and encryption. |
13 | Classified data includes personally identifiable information (PII), personally identifiable health |
14 | information (PHI) or federal tax information (FTI). |
15 | (3) “Cybersecurity incident” means unauthorized access that could jeopardize the |
16 | confidentiality, integrity or availability of critical information systems and critical infrastructure |
17 | systems (i.e., first responder networks, water, energy). |
18 | (2)(4) “Encrypted” means the transformation of data through the use of a one hundred |
19 | twenty-eight (128) bit or higher algorithmic process into a form in which there is a low probability |
| |
1 | of assigning meaning without use of a confidential process or key. Data shall not be considered to |
2 | be encrypted if it is acquired in combination with any key, security code, or password that would |
3 | permit access to the encrypted data. |
4 | (3)(5) “Health insurance information” means an individual’s health insurance policy |
5 | number, subscriber identification number, or any unique identifier used by a health insurer to |
6 | identify the individual. |
7 | (4)(6) “Medical information” means any information regarding an individual’s medical |
8 | history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional |
9 | or provider. |
10 | (5)(7) “Municipal agency” means any department, division, agency, commission, board, |
11 | office, bureau, authority, quasi-public authority, or school, fire, or water district within Rhode |
12 | Island, other than a state agency, and any other agency that is in any branch of municipal |
13 | government and exercises governmental functions other than in an advisory nature. |
14 | (6)(8) “Owner” means the original collector of the information. |
15 | (7)(9) “Person” shall include any individual, sole proprietorship, partnership, association, |
16 | corporation, joint venture, business, legal entity, trust, estate, cooperative, or other commercial |
17 | entity. |
18 | (8)(10) “Personal information” means an individual’s first name or first initial and last |
19 | name in combination with any one or more of the following data elements, when the name and the |
20 | data elements are not encrypted or are in hard copy, paper format: |
21 | (i) Social security number; |
22 | (ii) Driver’s license number, Rhode Island identification card number, or tribal |
23 | identification number; |
24 | (iii) Account number, credit, or debit card number, in combination with any required |
25 | security code, access code, password, or personal identification number, that would permit access |
26 | to an individual’s financial account; |
27 | (iv) Medical or health insurance information; or |
28 | (v) E-mail address with any required security code, access code, or password that would |
29 | permit access to an individual’s personal, medical, insurance, or financial account. |
30 | (9)(11) “Remediation service provider” means any person who or that, in the usual course |
31 | of business, provides services pertaining to a consumer credit report including, but not limited to, |
32 | credit report monitoring and alerts, that are intended to mitigate the potential for identity theft. |
33 | (10)(12) “State agency” means any department, division, agency, commission, board, |
34 | office, bureau, authority, or quasi-public authority within Rhode Island; either branch of the Rhode |
| LC000194/SUB A/2 - Page 2 of 7 |
1 | Island general assembly or an agency or committee thereof; the judiciary; or any other agency that |
2 | is in any branch of Rhode Island state government and that exercises governmental functions other |
3 | than in an advisory nature. |
4 | (b) For purposes of this section, personal information does not include publicly available |
5 | information that is lawfully made available to the general public from federal, state, or local |
6 | government records. |
7 | (c) For purposes of this section, “notice” may be provided by one of the following methods: |
8 | (i) Written notice; |
9 | (ii) Electronic notice, if the notice provided is consistent with the provisions regarding |
10 | electronic records and signatures set forth in 15 U.S.C. § 7001; or |
11 | (iii) Substitute notice, if the municipal agency, state agency, or person demonstrates that |
12 | the cost of providing notice would exceed twenty-five thousand dollars ($25,000), or that the |
13 | affected class of subject persons to be notified exceeds fifty thousand (50,000), or the municipal |
14 | agency, state agency, or person does not have sufficient contact information. Substitute notice shall |
15 | consist of all of the following: |
16 | (A) E-mail notice when the municipal agency, state agency, or person has an e-mail address |
17 | for the subject persons; |
18 | (B) Conspicuous posting of the notice on the municipal agency’s, state agency’s or |
19 | person’s website page, if the municipal agency, state agency, or person maintains one; and |
20 | (C) Notification to major statewide media. |
21 | 11-49.3-4. Notification of breach. |
22 | (a)(1) Any municipal agency, state agency, or person that stores, owns, collects, processes, |
23 | maintains, acquires, uses, or licenses data that includes personal information shall provide |
24 | notification as set forth in this section of any disclosure of personal information, or any breach of |
25 | the security of the system, that poses a significant risk of identity theft to any resident of Rhode |
26 | Island whose personal information was, or is reasonably believed to have been, acquired by an |
27 | unauthorized person or entity. |
28 | (2) The notification shall be made in the most expedient time possible, but subject to the |
29 | following: |
30 | (i) For state and municipal agencies, no later than forty-five (45) thirty (30) calendar days |
31 | after confirmation of the breach and the ability to ascertain the information required to fulfill the |
32 | notice requirements contained in subsection (d) of this section, and shall be consistent with the |
33 | legitimate needs of law enforcement as provided in subsection (c) of this section. In the event that |
34 | more than five hundred (500) Rhode Island residents are to be notified, the municipal agency, or |
| LC000194/SUB A/2 - Page 3 of 7 |
1 | state agency, or person shall notify the attorney general and the major credit reporting agencies as |
2 | to the timing, content, and distribution of the notices and the approximate number of affected |
3 | individuals. Notification to the attorney general and the major credit reporting agencies shall be |
4 | made without delaying notice to affected Rhode Island residents. Where affected employees are |
5 | represented by a labor union through a collective bargaining agreement, the employer shall also |
6 | notify the collective bargaining agent, or designee, of such breaches. |
7 | (ii) For persons subject to subsection (a)(1) of this section, which is not a state or municipal |
8 | agency, no later than forty-five (45) calendar days after confirmation of the breach and the ability |
9 | to ascertain the information required to fulfill the notice requirements contained in subsection (d) |
10 | of this section, and shall be consistent with the legitimate needs of law enforcement as provided in |
11 | subsection (c) of this section. In the event that more than five hundred (500) Rhode Island residents |
12 | are to be notified, the person shall notify the attorney general and the major credit reporting |
13 | agencies as to the timing, content, and distribution of the notices and the approximate number of |
14 | affected individuals. Notification to the attorney general and the major credit reporting agencies |
15 | shall be made without delaying notice to affected Rhode Island residents. |
16 | (b) The notification required by this section may be delayed if a federal, state, or local law |
17 | enforcement agency determines that the notification will impede a criminal investigation. The |
18 | federal, state, or local law enforcement agency must notify the municipal agency, state agency, or |
19 | person of the request to delay notification without unreasonable delay. If notice is delayed due to |
20 | such determination, then, as soon as the federal, state, or municipal law enforcement agency |
21 | determines and informs the municipal agency, state agency, or person that notification no longer |
22 | poses a risk of impeding an investigation, notice shall be provided as soon as practicable pursuant |
23 | to subsection (a)(2). The municipal agency, state agency, or person shall cooperate with federal, |
24 | state, or municipal law enforcement in its investigation of any breach of security or unauthorized |
25 | acquisition or use, which shall include the sharing of information relevant to the incident; provided |
26 | however, that such disclosure shall not require the disclosure of confidential business information |
27 | or trade secrets. |
28 | (c) Any municipal agency, state agency, or person required to make notification under this |
29 | section and fails to do so is liable for a violation as set forth in § 11-49.3-5. |
30 | (d) The notification to individuals must include the following information to the extent |
31 | known: |
32 | (1) A general and brief description of the incident, including how the security breach |
33 | occurred and the number of affected individuals; |
34 | (2) The type of information that was subject to the breach; |
| LC000194/SUB A/2 - Page 4 of 7 |
1 | (3) Date of breach, estimated date of breach, or the date range within which the breach |
2 | occurred; |
3 | (4) Date that the breach was discovered; |
4 | (5) A clear and concise description of any remediation services offered to affected |
5 | individuals including toll free numbers and websites to contact: |
6 | (i) The credit reporting agencies; |
7 | (ii) Remediation service providers; |
8 | (iii) The attorney general; and |
9 | (6) A clear and concise description of the consumer’s ability to file or obtain a police report; |
10 | how a consumer requests a security freeze and the necessary information to be provided when |
11 | requesting the security freeze; and that fees may be required to be paid to the consumer reporting |
12 | agencies. |
13 | (e) Remediation services to be provided and to be described pursuant to the provisions of |
14 | subsection (d)(5) of this section shall include, but not be limited to: |
15 | (1) Individuals eighteen (18) years of age and older, a minimum of five (5) years of |
16 | coverage; and |
17 | (2) Individuals under eighteen (18) years of age, coverage until age eighteen (18), and no |
18 | less than two (2) years of coverage beyond age eighteen (18). |
19 | SECTION 2. Chapter 11-49.3 of the General Laws entitled "Identity Theft Protection Act |
20 | of 2015" is hereby amended by adding thereto the following section: |
21 | 11-49.3-7. Notification of cybersecurity incident. |
22 | (a) Any municipal agency, state agency, or person that detects a cybersecurity incident |
23 | shall provide notification to the Rhode Island state police upon detection of the cybersecurity |
24 | incident within twenty-four (24) hours. |
25 | (b) Any municipal agency, state agency, or person required to make notification under this |
26 | section and fails to do so may be liable for a violation as set forth in § 11-49.3-5. |
27 | (c) The notification shall include, at a minimum, the following information to the extent |
28 | known: |
29 | (1) A general and brief description of the incident, including how the cybersecurity incident |
30 | occurred; and |
31 | (2) The date of cybersecurity incident, estimated date of cybersecurity incident, or the date |
32 | range within which the cybersecurity incident occurred. |
| LC000194/SUB A/2 - Page 5 of 7 |
1 | SECTION 3. This act shall take effect upon passage. |
======== | |
LC000194/SUB A/2 | |
======== | |
| LC000194/SUB A/2 - Page 6 of 7 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 | |
*** | |
1 | This act would provide identity theft protections by requiring reporting of breaches by |
2 | certain municipal and state agencies, and would require notice to collective bargaining agents |
3 | where required and requires an explanation of remediation services. Cybersecurity incidents would |
4 | be reported to the Rhode Island state police. |
5 | This act would take effect upon passage. |
======== | |
LC000194/SUB A/2 | |
======== | |
| LC000194/SUB A/2 - Page 7 of 7 |