| 1 | 1 | | |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | 2025 -- H 5301 |
|---|
| 6 | 6 | | ======== |
|---|
| 7 | 7 | | LC000745 |
|---|
| 8 | 8 | | ======== |
|---|
| 9 | 9 | | S T A T E O F R H O D E I S L A N D |
|---|
| 10 | 10 | | IN GENERAL ASSEMBLY |
|---|
| 11 | 11 | | JANUARY SESSION, A.D. 2025 |
|---|
| 12 | 12 | | ____________ |
|---|
| 13 | 13 | | |
|---|
| 14 | 14 | | A N A C T |
|---|
| 15 | 15 | | RELATING TO CRIMINAL OFFENSES-IDENTITY THEFT PROTECTION ACT OF 2015 |
|---|
| 16 | 16 | | Introduced By: Representatives Phillips, Serpa, Fellela, Casey, J. Brien, Cruz, O'Brien, |
|---|
| 17 | 17 | | Batista, and Costantino |
|---|
| 18 | 18 | | Date Introduced: February 05, 2025 |
|---|
| 19 | 19 | | Referred To: House Innovation, Internet, & Technology |
|---|
| 20 | 20 | | |
|---|
| 21 | 21 | | |
|---|
| 22 | 22 | | It is enacted by the General Assembly as follows: |
|---|
| 23 | 23 | | SECTION 1. Section 11-49.3-4 of the General Laws in Chapter 11-49.3 entitled "Identity 1 |
|---|
| 24 | 24 | | Theft Protection Act of 2015" is hereby amended to read as follows: 2 |
|---|
| 25 | 25 | | 11-49.3-4. Notification of breach. 3 |
|---|
| 26 | 26 | | (a)(1) Any municipal agency, state agency, or any other person or entity who or that stores, 4 |
|---|
| 27 | 27 | | owns, collects, processes, maintains, acquires, uses, or licenses data, or any agency, entity, or any 5 |
|---|
| 28 | 28 | | other person that maintains or stores, but does not own or license, data that includes personal 6 |
|---|
| 29 | 29 | | information shall provide notification as set forth in this section of any disclosure of personal 7 |
|---|
| 30 | 30 | | information, or any breach of the security of the system, that poses a significant risk of identity 8 |
|---|
| 31 | 31 | | theft to any resident of Rhode Island whose personal information was, or is reasonably believed to 9 |
|---|
| 32 | 32 | | have been, acquired by an unauthorized person or entity. In addition to providing notice as required 10 |
|---|
| 33 | 33 | | in this section, the municipal agency, state agency, or any other person or entity shall cooperate 11 |
|---|
| 34 | 34 | | with the owner or licensor of such information. Such cooperation shall include, but not be limited 12 |
|---|
| 35 | 35 | | to, informing the owner or licensor of the breach of security, the date and approximate time of the 13 |
|---|
| 36 | 36 | | breach, and any steps taken related to minimizing the breach upon discovery. Cooperation shall not 14 |
|---|
| 37 | 37 | | include the requirement that any agency, public or private entity or other person disclose 15 |
|---|
| 38 | 38 | | confidential business information or trade secrets. 16 |
|---|
| 39 | 39 | | (2) The notification shall be made in the most expedient time possible and without 17 |
|---|
| 40 | 40 | | unreasonable delay, subject to the following: 18 |
|---|
| 41 | 41 | | (i) For state and municipal agencies, no later than thirty (30) calendar days after the 19 |
|---|
| 42 | 42 | | |
|---|
| 43 | 43 | | |
|---|
| 44 | 44 | | LC000745 - Page 2 of 5 |
|---|
| 45 | 45 | | municipal agency, state agency or other person or entity knows or has reason to know that any 1 |
|---|
| 46 | 46 | | personal information has been acquired or used by an unauthorized person or entity, and/or upon 2 |
|---|
| 47 | 47 | | confirmation of the breach and the ability to ascertain the information required to fulfill the notice 3 |
|---|
| 48 | 48 | | requirements contained in subsection (d), and shall be consistent with the legitimate needs of law 4 |
|---|
| 49 | 49 | | enforcement as provided in subsection (b). In the event that more than five hundred (500) Rhode 5 |
|---|
| 50 | 50 | | Island residents are to be notified, the The municipal agency or state agency shall notify the attorney 6 |
|---|
| 51 | 51 | | general, the department of business regulation, and the major credit reporting agencies as to the 7 |
|---|
| 52 | 52 | | timing, content, and distribution of the notices and the approximate number of affected individuals. 8 |
|---|
| 53 | 53 | | Notification to the attorney general, the department of business regulations, and the major credit 9 |
|---|
| 54 | 54 | | reporting agencies shall be made without delaying notice to affected Rhode Island residents. Where 10 |
|---|
| 55 | 55 | | affected employees are represented by a labor union through a collective bargaining agreement, the 11 |
|---|
| 56 | 56 | | employer shall also notify the collective bargaining agent, or designee, of such breaches. Notice to 12 |
|---|
| 57 | 57 | | the department of attorney general, the department of business regulation, the major credit reporting 13 |
|---|
| 58 | 58 | | agencies and designee of impacted labor unions shall include the nature of the breach of security 14 |
|---|
| 59 | 59 | | or unauthorized acquisition, the number of people affected by the incident, the name and address 15 |
|---|
| 60 | 60 | | of the agency, person or entity reporting the breach of security, the person responsible for 16 |
|---|
| 61 | 61 | | committing the breach, if known, and the type of personal information compromised, including, 17 |
|---|
| 62 | 62 | | but not limited to, social security numbers, bank account numbers, credit/debit card numbers or any 18 |
|---|
| 63 | 63 | | other information that may have the potential to impact any person’s privacy or financial security. 19 |
|---|
| 64 | 64 | | (ii) For persons subject to subsection (a)(1), which is not a state or municipal agency, no 20 |
|---|
| 65 | 65 | | later than forty-five (45) calendar days after confirmation of the breach and the ability to ascertain 21 |
|---|
| 66 | 66 | | the information required to fulfill the notice requirements contained in subsection (d), and shall be 22 |
|---|
| 67 | 67 | | consistent with the legitimate needs of law enforcement as provided in subsection (b). In the event 23 |
|---|
| 68 | 68 | | that more than five hundred (500) Rhode Island residents are to be notified, the person shall notify 24 |
|---|
| 69 | 69 | | the attorney general and the major credit reporting agencies as to the timing, content, and 25 |
|---|
| 70 | 70 | | distribution of the notices and the approximate number of affected individuals. Notification to the 26 |
|---|
| 71 | 71 | | attorney general and the major credit reporting agencies shall be made without delaying notice to 27 |
|---|
| 72 | 72 | | affected Rhode Island residents. 28 |
|---|
| 73 | 73 | | (b) The notification required by this section may be delayed if a federal, state, or local law 29 |
|---|
| 74 | 74 | | enforcement agency determines that the notification will impede a criminal investigation. The 30 |
|---|
| 75 | 75 | | federal, state, or local law enforcement agency must notify the municipal agency, state agency, or 31 |
|---|
| 76 | 76 | | person of the request to delay notification without unreasonable delay. If notice is delayed due to 32 |
|---|
| 77 | 77 | | such determination, then, as soon as the federal, state, or municipal law enforcement agency 33 |
|---|
| 78 | 78 | | determines and informs the municipal agency, state agency, or person that notification no longer 34 |
|---|
| 79 | 79 | | |
|---|
| 80 | 80 | | |
|---|
| 81 | 81 | | LC000745 - Page 3 of 5 |
|---|
| 82 | 82 | | poses a risk of impeding an investigation, notice shall be provided as soon as practicable pursuant 1 |
|---|
| 83 | 83 | | to subsection (a)(2). The municipal agency, state agency, or person shall cooperate with federal, 2 |
|---|
| 84 | 84 | | state, or municipal law enforcement in its investigation of any breach of security or unauthorized 3 |
|---|
| 85 | 85 | | acquisition or use, which shall include the sharing of information relevant to the incident; provided 4 |
|---|
| 86 | 86 | | however, that such disclosure shall not require the disclosure of confidential business information 5 |
|---|
| 87 | 87 | | or trade secrets. 6 |
|---|
| 88 | 88 | | (c) Any municipal agency, state agency, or person required to make notification under this 7 |
|---|
| 89 | 89 | | section and fails to do so is liable for a violation as set forth in § 11-49.3-5. 8 |
|---|
| 90 | 90 | | (d) The notification to individuals must include the following information to the extent 9 |
|---|
| 91 | 91 | | known: 10 |
|---|
| 92 | 92 | | (1) A general and brief description of the incident, including how the security breach 11 |
|---|
| 93 | 93 | | occurred and the number of affected individuals; 12 |
|---|
| 94 | 94 | | (2) The type of information that was subject to the breach; 13 |
|---|
| 95 | 95 | | (3) Date of breach, estimated date of breach, or the date range within which the breach 14 |
|---|
| 96 | 96 | | occurred; 15 |
|---|
| 97 | 97 | | (4) Date that the breach was discovered; 16 |
|---|
| 98 | 98 | | (5) A clear and concise description of any remediation services offered to affected 17 |
|---|
| 99 | 99 | | individuals including toll free numbers and websites to contact: 18 |
|---|
| 100 | 100 | | (i) The credit reporting agencies; 19 |
|---|
| 101 | 101 | | (ii) Remediation service providers; 20 |
|---|
| 102 | 102 | | (iii) The attorney general; and 21 |
|---|
| 103 | 103 | | (6) A clear and concise description of the consumer’s ability to file or obtain a police report; 22 |
|---|
| 104 | 104 | | how a consumer requests a security freeze and the necessary information to be provided when 23 |
|---|
| 105 | 105 | | requesting the security freeze; and that no fees may be required to be paid to the consumer reporting 24 |
|---|
| 106 | 106 | | agencies when any person requesting a security freeze does so as a result of any breach. 25 |
|---|
| 107 | 107 | | (e) For state and municipal agencies remediation services to be provided and to be 26 |
|---|
| 108 | 108 | | described pursuant to the provisions of subsection (d)(5) of this section shall include, but not be 27 |
|---|
| 109 | 109 | | limited to: 28 |
|---|
| 110 | 110 | | (1) Individuals eighteen (18) years of age and older, a minimum of five (5) years of 29 |
|---|
| 111 | 111 | | coverage; and 30 |
|---|
| 112 | 112 | | (2) Individuals under eighteen (18) years of age, coverage until age eighteen (18), and no 31 |
|---|
| 113 | 113 | | less than two (2) years of coverage beyond age eighteen (18). 32 |
|---|
| 114 | 114 | | |
|---|
| 115 | 115 | | |
|---|
| 116 | 116 | | LC000745 - Page 4 of 5 |
|---|
| 117 | 117 | | SECTION 2. This act shall take effect upon passage. 1 |
|---|
| 118 | 118 | | ======== |
|---|
| 119 | 119 | | LC000745 |
|---|
| 120 | 120 | | ======== |
|---|
| 121 | 121 | | |
|---|
| 122 | 122 | | |
|---|
| 123 | 123 | | LC000745 - Page 5 of 5 |
|---|
| 124 | 124 | | EXPLANATION |
|---|
| 125 | 125 | | BY THE LEGISLATIVE COUNCIL |
|---|
| 126 | 126 | | OF |
|---|
| 127 | 127 | | A N A C T |
|---|
| 128 | 128 | | RELATING TO CRIMINAL OFFENSES-IDENTITY THEFT PROTECTION ACT OF 2015 |
|---|
| 129 | 129 | | *** |
|---|
| 130 | 130 | | This act would expand the responsibilities of those municipal or state agencies or any other 1 |
|---|
| 131 | 131 | | person or entity that stores, owns, collects, processes, maintains, acquires, uses, or licenses data, 2 |
|---|
| 132 | 132 | | who experiences a security breach. Responsibilities would include providing additional 3 |
|---|
| 133 | 133 | | information to persons affected and providing additional cooperation and information to law 4 |
|---|
| 134 | 134 | | enforcement and the department of business regulation (DBR). 5 |
|---|
| 135 | 135 | | This act would take effect upon passage. 6 |
|---|
| 136 | 136 | | ======== |
|---|
| 137 | 137 | | LC000745 |
|---|
| 138 | 138 | | ======== |
|---|