Chapter 285
2009 -- S 0589 SUBSTITUTE A
Enacted 11/13/09
A N A C T
RELATING TO
COMMERCIAL LAW - GENERAL REGULATORY PROVISIONS
Introduced By: Senators Raptakis, McBurney, Felag, Walaska, and Maselli
Date Introduced: February 25, 2009
It is enacted by the
General Assembly as follows:
SECTION 1. Title 6 of the General Laws entitled
"COMMERCIAL LAW - GENERAL
REGULATORY PROVISIONS"
is hereby amended by adding thereto the following chapter:
CHAPTER
52
SAFE
DESTRUCTION OF DOCUMENTS CONTAINING PERSONAL INFORMATION
6-52-1.
Definitions. – As used in this chapter:
(1)
"Business" means a sole proprietorship, partnership, corporation, association, limited
liability company, or other group, however organized and
whether or not organized to operate at a
profit, including a financial institution organized,
chartered, or holding a license or authorization
certificate under the laws of this state or any other state, or
the parent, affiliate, or subsidiary of a
financial institution. This term includes any entity that
destroys records, including, but not limited
to, the state, a state agency, or any political
subdivision of the state.
(2)
"Customer" means an individual who provides personal information to a
business for
the purpose of purchasing or leasing a product or
obtaining a service from the business or whose
personal information has been provided to another business
from that business.
(3) "Personal
information" means the following information that identifies, relates to,
describes, or is capable of being associated with a particular
individual: his or her signature,
social security number, physical characteristics or
description, passport number, driver's license
or state identification card number, insurance policy
number, bank account number, credit card
number, debit card number, any other financial information
or confidential health care
information including all information relating to a patient's
health care history, diagnosis
condition, treatment, or evaluation obtained from a health care
provider who has treated the
patient which explicitly or by implication identifies a
particular patient.
(4)
"Record" means any material, regardless of the physical form, on
which personal
information is recorded or preserved by any means, including
written or spoken words,
graphically depicted, printed, or electromagnetically
transmitted. Record does not include
publicly available directories containing information an
individual has voluntarily consented to
have publicly disseminated or listed, such as name,
address, or telephone number.
6-52-2.
Safe destruction of documents. – A business
shall take reasonable steps to
destroy or arrange for the destruction of a customer's
personal information within its custody and
control that is no longer to be retained by the business by
shredding, erasing, or otherwise
destroying and/or modifying the personal information in those
records to make it unreadable or
indecipherable through any means for the purpose of:
(1) Ensuring the
security and confidentiality of customer personal information;
(2) Protecting
against any reasonably foreseeable threats or hazards to the security or
integrity of customer personal information; and
(3) Protecting
against unauthorized access to or use of customer personal information that
could result in substantial harm or inconvenience to any
customer.
6-52-3.
Violations. – A business that does not take the
reasonable steps when disposing
of a customer's personal information set out in section
6-52-2 is in violation of this chapter. For
the purposes of this chapter, each record unreasonably
disposed of constitutes an individual
violation of this chapter.
(1) A customer who
incurs actual damages due to a violation of this chapter may bring a
civil action in superior court.
(2) Whenever the
attorney general has reason to believe that a violation of this chapter
has occurred and that proceedings would be in the public
interest, the attorney general may bring
an action in the name of the state against the business
in violation. The business who violates this
chapter may be liable in a suit by the attorney general for
actual damages of the aggrieved
customer and a civil penalty of five hundred dollars ($500)
for each violation, not to exceed fifty
thousand dollars ($50,000).
6-52-4.
Exemptions. – This chapter does not apply to
any of the following:
(1) Any bank, credit
union, or financial institution as defined under the federal Gramm
Leach Bliley Law that is subject to the regulation of
the Office of the Comptroller of Currency,
the Federal Reserve, the National Credit Union
Administration, the Securities and Exchange
Commission, the Federal Deposit Insurance Corporation,
the Federal Trade Commission, the
Office of Thrift Supervision and the
Business Regulation and is subject to the privacy and
security provisions of the Gramm Leach
Bliley Act, 15 U.S.C. section 6801 et
seq;
(2) Any health
insurer, non profit hospital or medical service corporation as defined in
chapters 27-19 and 27-20, and any health care facility that is
subject to the standards for privacy
of individually identifiable health information and the
security standards for the protection of
electronic health information of the Health Insurance
Portability and Accountability Act of 1996;
(3) Any consumer
report agency that is subject to and in compliance with the Federal
Credit Reporting Act. 15
(4) Any business that
enters into a contractual agreement with another business to
complete the destruction of a customer’s personal information
and has physical evidence of that
contractual agreement.
SECTION 2. This act shall take effect on January 1, 2010.
=======
LC00413/SUB A/2
=======