2025 -- H 5301
========
LC000745
========
S T A T E O F R H O D E I S L A N D
IN GENERAL ASSEMBLY
JANUARY SESSION, A.D. 2025
____________
A N A C T
RELATING TO CRIMINAL OFFENSES-IDENTITY THEFT PROTECTION ACT OF 2015
Introduced By: Representatives Phillips, Serpa, Fellela, Casey, J. Brien, Cruz, O'Brien,
Batista, and Costantino
Date Introduced: February 05, 2025
Referred To: House Innovation, Internet, & Technology
It is enacted by the General Assembly as follows:
SECTION 1. Section 11-49.3-4 of the General Laws in Chapter 11-49.3 entitled "Identity 1
Theft Protection Act of 2015" is hereby amended to read as follows: 2
11-49.3-4. Notification of breach. 3
(a)(1) Any municipal agency, state agency, or any other person or entity who or that stores, 4
owns, collects, processes, maintains, acquires, uses, or licenses data, or any agency, entity, or any 5
other person that maintains or stores, but does not own or license, data that includes personal 6
information shall provide notification as set forth in this section of any disclosure of personal 7
information, or any breach of the security of the system, that poses a significant risk of identity 8
theft to any resident of Rhode Island whose personal information was, or is reasonably believed to 9
have been, acquired by an unauthorized person or entity. In addition to providing notice as required 10
in this section, the municipal agency, state agency, or any other person or entity shall cooperate 11
with the owner or licensor of such information. Such cooperation shall include, but not be limited 12
to, informing the owner or licensor of the breach of security, the date and approximate time of the 13
breach, and any steps taken related to minimizing the breach upon discovery. Cooperation shall not 14
include the requirement that any agency, public or private entity or other person disclose 15
confidential business information or trade secrets. 16
(2) The notification shall be made in the most expedient time possible and without 17
unreasonable delay, subject to the following: 18
(i) For state and municipal agencies, no later than thirty (30) calendar days after the 19
LC000745 - Page 2 of 5
municipal agency, state agency or other person or entity knows or has reason to know that any 1
personal information has been acquired or used by an unauthorized person or entity, and/or upon 2
confirmation of the breach and the ability to ascertain the information required to fulfill the notice 3
requirements contained in subsection (d), and shall be consistent with the legitimate needs of law 4
enforcement as provided in subsection (b). In the event that more than five hundred (500) Rhode 5
Island residents are to be notified, the The municipal agency or state agency shall notify the attorney 6
general, the department of business regulation, and the major credit reporting agencies as to the 7
timing, content, and distribution of the notices and the approximate number of affected individuals. 8
Notification to the attorney general, the department of business regulations, and the major credit 9
reporting agencies shall be made without delaying notice to affected Rhode Island residents. Where 10
affected employees are represented by a labor union through a collective bargaining agreement, the 11
employer shall also notify the collective bargaining agent, or designee, of such breaches. Notice to 12
the department of attorney general, the department of business regulation, the major credit reporting 13
agencies and designee of impacted labor unions shall include the nature of the breach of security 14
or unauthorized acquisition, the number of people affected by the incident, the name and address 15
of the agency, person or entity reporting the breach of security, the person responsible for 16
committing the breach, if known, and the type of personal information compromised, including, 17
but not limited to, social security numbers, bank account numbers, credit/debit card numbers or any 18
other information that may have the potential to impact any person’s privacy or financial security. 19
(ii) For persons subject to subsection (a)(1), which is not a state or municipal agency, no 20
later than forty-five (45) calendar days after confirmation of the breach and the ability to ascertain 21
the information required to fulfill the notice requirements contained in subsection (d), and shall be 22
consistent with the legitimate needs of law enforcement as provided in subsection (b). In the event 23
that more than five hundred (500) Rhode Island residents are to be notified, the person shall notify 24
the attorney general and the major credit reporting agencies as to the timing, content, and 25
distribution of the notices and the approximate number of affected individuals. Notification to the 26
attorney general and the major credit reporting agencies shall be made without delaying notice to 27
affected Rhode Island residents. 28
(b) The notification required by this section may be delayed if a federal, state, or local law 29
enforcement agency determines that the notification will impede a criminal investigation. The 30
federal, state, or local law enforcement agency must notify the municipal agency, state agency, or 31
person of the request to delay notification without unreasonable delay. If notice is delayed due to 32
such determination, then, as soon as the federal, state, or municipal law enforcement agency 33
determines and informs the municipal agency, state agency, or person that notification no longer 34
LC000745 - Page 3 of 5
poses a risk of impeding an investigation, notice shall be provided as soon as practicable pursuant 1
to subsection (a)(2). The municipal agency, state agency, or person shall cooperate with federal, 2
state, or municipal law enforcement in its investigation of any breach of security or unauthorized 3
acquisition or use, which shall include the sharing of information relevant to the incident; provided 4
however, that such disclosure shall not require the disclosure of confidential business information 5
or trade secrets. 6
(c) Any municipal agency, state agency, or person required to make notification under this 7
section and fails to do so is liable for a violation as set forth in § 11-49.3-5. 8
(d) The notification to individuals must include the following information to the extent 9
known: 10
(1) A general and brief description of the incident, including how the security breach 11
occurred and the number of affected individuals; 12
(2) The type of information that was subject to the breach; 13
(3) Date of breach, estimated date of breach, or the date range within which the breach 14
occurred; 15
(4) Date that the breach was discovered; 16
(5) A clear and concise description of any remediation services offered to affected 17
individuals including toll free numbers and websites to contact: 18
(i) The credit reporting agencies; 19
(ii) Remediation service providers; 20
(iii) The attorney general; and 21
(6) A clear and concise description of the consumer’s ability to file or obtain a police report; 22
how a consumer requests a security freeze and the necessary information to be provided when 23
requesting the security freeze; and that no fees may be required to be paid to the consumer reporting 24
agencies when any person requesting a security freeze does so as a result of any breach. 25
(e) For state and municipal agencies remediation services to be provided and to be 26
described pursuant to the provisions of subsection (d)(5) of this section shall include, but not be 27
limited to: 28
(1) Individuals eighteen (18) years of age and older, a minimum of five (5) years of 29
coverage; and 30
(2) Individuals under eighteen (18) years of age, coverage until age eighteen (18), and no 31
less than two (2) years of coverage beyond age eighteen (18). 32
LC000745 - Page 4 of 5
SECTION 2. This act shall take effect upon passage. 1
========
LC000745
========
LC000745 - Page 5 of 5
EXPLANATION
BY THE LEGISLATIVE COUNCIL
OF
A N A C T
RELATING TO CRIMINAL OFFENSES-IDENTITY THEFT PROTECTION ACT OF 2015
***
This act would expand the responsibilities of those municipal or state agencies or any other 1
person or entity that stores, owns, collects, processes, maintains, acquires, uses, or licenses data, 2
who experiences a security breach. Responsibilities would include providing additional 3
information to persons affected and providing additional cooperation and information to law 4
enforcement and the department of business regulation (DBR). 5
This act would take effect upon passage. 6
========
LC000745
========