2023 -- H 5684 SUBSTITUTE A AS AMENDED

========

LC000194/SUB A/2

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2023

____________

A N   A C T

RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015

     

     Introduced By: Representatives Cortvriend, Fogarty, Tanzi, Phillips, Edwards, Solomon,

     Date Introduced: February 17, 2023

     Referred To: House Innovation, Internet, & Technology

     It is enacted by the General Assembly as follows:

1

     SECTION 1. Sections 11-49.3-3 and 11-49.3-4 of the General Laws in Chapter 11-49.3

2

entitled "Identity Theft Protection Act of 2015" are hereby amended to read as follows:

3

     11-49.3-3. Definitions.

4

     (a) The following definitions apply to this section:

5

     (1) “Breach of the security of the system” means unauthorized access or acquisition of

6

unencrypted, computerized data information that compromises the security, confidentiality, or

7

integrity of personal information maintained by the municipal agency, state agency, or person.

8

Good-faith acquisition of personal information by an employee or agent of the agency for the

9

purposes of the agency is not a breach of the security of the system; provided, that the personal

10

information is not used or subject to further unauthorized disclosure.

11

     (2) “Classified data” means any data that is not public (private, sensitive, confidential).

12

Classified data requires additional security controls, such as access restrictions and encryption.

13

Classified data includes personally identifiable information (PII), personally identifiable health

14

information (PHI) or federal tax information (FTI).

15

     (3) “Cybersecurity incident” means unauthorized access that could jeopardize the

16

confidentiality, integrity or availability of critical information systems and critical infrastructure

17

systems (i.e., first responder networks, water, energy).

18

     (2)(4) “Encrypted” means the transformation of data through the use of a one hundred

19

twenty-eight (128) bit or higher algorithmic process into a form in which there is a low probability

 

1

of assigning meaning without use of a confidential process or key. Data shall not be considered to

2

be encrypted if it is acquired in combination with any key, security code, or password that would

3

permit access to the encrypted data.

4

     (3)(5) “Health insurance information” means an individual’s health insurance policy

5

number, subscriber identification number, or any unique identifier used by a health insurer to

6

identify the individual.

7

     (4)(6) “Medical information” means any information regarding an individual’s medical

8

history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional

9

or provider.

10

     (5)(7) “Municipal agency” means any department, division, agency, commission, board,

11

office, bureau, authority, quasi-public authority, or school, fire, or water district within Rhode

12

Island, other than a state agency, and any other agency that is in any branch of municipal

13

government and exercises governmental functions other than in an advisory nature.

14

     (6)(8) “Owner” means the original collector of the information.

15

     (7)(9) “Person” shall include any individual, sole proprietorship, partnership, association,

16

corporation, joint venture, business, legal entity, trust, estate, cooperative, or other commercial

17

entity.

18

     (8)(10) “Personal information” means an individual’s first name or first initial and last

19

name in combination with any one or more of the following data elements, when the name and the

20

data elements are not encrypted or are in hard copy, paper format:

21

     (i) Social security number;

22

     (ii) Driver’s license number, Rhode Island identification card number, or tribal

23

identification number;

24

     (iii) Account number, credit, or debit card number, in combination with any required

25

security code, access code, password, or personal identification number, that would permit access

26

to an individual’s financial account;

27

     (iv) Medical or health insurance information; or

28

     (v) E-mail address with any required security code, access code, or password that would

29

permit access to an individual’s personal, medical, insurance, or financial account.

30

     (9)(11) “Remediation service provider” means any person who or that, in the usual course

31

of business, provides services pertaining to a consumer credit report including, but not limited to,

32

credit report monitoring and alerts, that are intended to mitigate the potential for identity theft.

33

     (10)(12) “State agency” means any department, division, agency, commission, board,

34

office, bureau, authority, or quasi-public authority within Rhode Island; either branch of the Rhode

 

LC000194/SUB A/2 - Page 2 of 7

1

Island general assembly or an agency or committee thereof; the judiciary; or any other agency that

2

is in any branch of Rhode Island state government and that exercises governmental functions other

3

than in an advisory nature.

4

     (b) For purposes of this section, personal information does not include publicly available

5

information that is lawfully made available to the general public from federal, state, or local

6

government records.

7

     (c) For purposes of this section, “notice” may be provided by one of the following methods:

8

     (i) Written notice;

9

     (ii) Electronic notice, if the notice provided is consistent with the provisions regarding

10

electronic records and signatures set forth in 15 U.S.C. § 7001; or

11

     (iii) Substitute notice, if the municipal agency, state agency, or person demonstrates that

12

the cost of providing notice would exceed twenty-five thousand dollars ($25,000), or that the

13

affected class of subject persons to be notified exceeds fifty thousand (50,000), or the municipal

14

agency, state agency, or person does not have sufficient contact information. Substitute notice shall

15

consist of all of the following:

16

     (A) E-mail notice when the municipal agency, state agency, or person has an e-mail address

17

for the subject persons;

18

     (B) Conspicuous posting of the notice on the municipal agency’s, state agency’s or

19

person’s website page, if the municipal agency, state agency, or person maintains one; and

20

     (C) Notification to major statewide media.

21

     11-49.3-4. Notification of breach.

22

     (a)(1) Any municipal agency, state agency, or person that stores, owns, collects, processes,

23

maintains, acquires, uses, or licenses data that includes personal information shall provide

24

notification as set forth in this section of any disclosure of personal information, or any breach of

25

the security of the system, that poses a significant risk of identity theft to any resident of Rhode

26

Island whose personal information was, or is reasonably believed to have been, acquired by an

27

unauthorized person or entity.

28

     (2) The notification shall be made in the most expedient time possible, but subject to the

29

following:

30

     (i) For state and municipal agencies, no later than forty-five (45) thirty (30) calendar days

31

after confirmation of the breach and the ability to ascertain the information required to fulfill the

32

notice requirements contained in subsection (d) of this section, and shall be consistent with the

33

legitimate needs of law enforcement as provided in subsection (c) of this section. In the event that

34

more than five hundred (500) Rhode Island residents are to be notified, the municipal agency, or

 

LC000194/SUB A/2 - Page 3 of 7

1

state agency, or person shall notify the attorney general and the major credit reporting agencies as

2

to the timing, content, and distribution of the notices and the approximate number of affected

3

individuals. Notification to the attorney general and the major credit reporting agencies shall be

4

made without delaying notice to affected Rhode Island residents. Where affected employees are

5

represented by a labor union through a collective bargaining agreement, the employer shall also

6

notify the collective bargaining agent, or designee, of such breaches.

7

     (ii) For persons subject to subsection (a)(1) of this section, which is not a state or municipal

8

agency, no later than forty-five (45) calendar days after confirmation of the breach and the ability

9

to ascertain the information required to fulfill the notice requirements contained in subsection (d)

10

of this section, and shall be consistent with the legitimate needs of law enforcement as provided in

11

subsection (c) of this section. In the event that more than five hundred (500) Rhode Island residents

12

are to be notified, the person shall notify the attorney general and the major credit reporting

13

agencies as to the timing, content, and distribution of the notices and the approximate number of

14

affected individuals. Notification to the attorney general and the major credit reporting agencies

15

shall be made without delaying notice to affected Rhode Island residents.

16

     (b) The notification required by this section may be delayed if a federal, state, or local law

17

enforcement agency determines that the notification will impede a criminal investigation. The

18

federal, state, or local law enforcement agency must notify the municipal agency, state agency, or

19

person of the request to delay notification without unreasonable delay. If notice is delayed due to

20

such determination, then, as soon as the federal, state, or municipal law enforcement agency

21

determines and informs the municipal agency, state agency, or person that notification no longer

22

poses a risk of impeding an investigation, notice shall be provided as soon as practicable pursuant

23

to subsection (a)(2). The municipal agency, state agency, or person shall cooperate with federal,

24

state, or municipal law enforcement in its investigation of any breach of security or unauthorized

25

acquisition or use, which shall include the sharing of information relevant to the incident; provided

26

however, that such disclosure shall not require the disclosure of confidential business information

27

or trade secrets.

28

     (c) Any municipal agency, state agency, or person required to make notification under this

29

section and fails to do so is liable for a violation as set forth in § 11-49.3-5.

30

     (d) The notification to individuals must include the following information to the extent

31

known:

32

     (1) A general and brief description of the incident, including how the security breach

33

occurred and the number of affected individuals;

34

     (2) The type of information that was subject to the breach;

 

LC000194/SUB A/2 - Page 4 of 7

1

     (3) Date of breach, estimated date of breach, or the date range within which the breach

2

occurred;

3

     (4) Date that the breach was discovered;

4

     (5) A clear and concise description of any remediation services offered to affected

5

individuals including toll free numbers and websites to contact:

6

     (i) The credit reporting agencies;

7

     (ii) Remediation service providers;

8

     (iii) The attorney general; and

9

     (6) A clear and concise description of the consumer’s ability to file or obtain a police report;

10

how a consumer requests a security freeze and the necessary information to be provided when

11

requesting the security freeze; and that fees may be required to be paid to the consumer reporting

12

agencies.

13

     (e) For state and municipal agencies remediation services to be provided and to be

14

described pursuant to the provisions of subsection (d)(5) of this section shall include, but not be

15

limited to:

16

     (1) Individuals eighteen (18) years of age and older, a minimum of five (5) years of

17

coverage; and

18

     (2) Individuals under eighteen (18) years of age, coverage until age eighteen (18), and no

19

less than two (2) years of coverage beyond age eighteen (18).

20

     SECTION 2. Chapter 11-49.3 of the General Laws entitled "Identity Theft Protection Act

21

of 2015" is hereby amended by adding thereto the following section:

22

     11-49.3-7. Notification of cybersecurity incident.

23

     (a) Any municipal agency or state agency, that detects a cybersecurity incident shall

24

provide notification to the Rhode Island state police upon detection of the cybersecurity incident

25

within twenty-four (24) hours.

26

     (b) Any municipal agency or state agency, required to make notification under this section

27

and fails to do so may be liable for a violation as set forth in § 11-49.3-5.

28

     (c) The notification shall include, at a minimum, the following information to the extent

29

known:

30

     (1) A general and brief description of the incident, including how the cybersecurity incident

31

occurred; and

32

     (2) The date of cybersecurity incident, estimated date of cybersecurity incident, or the date

33

range within which the cybersecurity incident occurred.

 

LC000194/SUB A/2 - Page 5 of 7

1

     SECTION 3. This act shall take effect upon passage.

========

LC000194/SUB A/2

========

 

LC000194/SUB A/2 - Page 6 of 7

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015

***

1

     This act would provide identity theft protections by requiring reporting of breaches by

2

certain municipal and state agencies, and would require notice to collective bargaining agents

3

where required and requires an explanation of remediation services. Cybersecurity incidents would

4

be reported to the Rhode Island state police.

5

     This act would take effect upon passage.

========

LC000194/SUB A/2

========

 

LC000194/SUB A/2 - Page 7 of 7