TITLE 11

Criminal Offenses

CHAPTER 11-49.3

Identity Theft Protection Act of 2015

SECTION 11-49.3-4



   § 11-49.3-4  Notification of breach.

[Effective July 2, 2016.]. –

(a)(1) Any municipal agency, state agency, or person that stores, owns,

collects, processes, maintains, acquires, uses, or licenses data that includes

personal information shall provide notification as set forth in this section of

any disclosure of personal information, or any breach of the security of the

system, that poses a significant risk of identity theft to any resident of

Rhode Island whose personal information was, or is reasonably believed to have

been, acquired by an unauthorized person or entity.



   (2) The notification shall be made in the most expedient time

possible, but no later than forty-five (45) calendar days after confirmation of

the breach and the ability to ascertain the information required to fulfill the

notice requirements contained in subsection (d) of this section, and shall be

consistent with the legitimate needs of law enforcement as provided in

subsection (c) of this section. In the event that more than five hundred (500)

Rhode Island residents are to be notified, the municipal agency, state agency,

or person shall notify the attorney general and the major credit reporting

agencies as to the timing, content, and distribution of the notices and the

approximate number of affected individuals. Notification to the attorney

general and the major credit reporting agencies shall be made without delaying

notice to affected Rhode Island residents.



   (b) The notification required by this section may be delayed

if a federal, state, or local law enforcement agency determines that the

notification will impede a criminal investigation. The federal, state, or local

law enforcement agency must notify the municipal agency, state agency, or

person of the request to delay notification without unreasonable delay. If

notice is delayed due to such determination, then, as soon as the federal,

state, or municipal law enforcement agency determines and informs the municipal

agency, state agency, or person that notification no longer poses a risk of

impeding an investigation, notice shall be provided as soon as practicable

pursuant to subsection (a)(2). The municipal agency, state agency, or person

shall cooperate with federal, state, or municipal law enforcement in its

investigation of any breach of security or unauthorized acquisition or use,

which shall include the sharing of information relevant to the incident;

provided however, that such disclosure shall not require the disclosure of

confidential business information or trade secrets.



   (c) Any municipal agency, state agency, or person required to

make notification under this section and fails to do so is liable for a

violation as set forth in § 11-49.3-5.



   (d) The notification to individuals must include the

following information to the extent known:



   (1) A general and brief description of the incident,

including how the security breach occurred and the number of affected

individuals;



   (2) The type of information that was subject to the breach;



   (3) Date of breach, estimated date of breach, or the date

range within which the breach occurred;



   (4) Date that the breach was discovered;



   (5) A clear and concise description of any remediation

services offered to affected individuals including toll free numbers and

websites to contact: (i) The credit reporting agencies; (ii) Remediation

service providers; (iii) The attorney general; and



   (6) A clear and concise description of the consumer's ability

to file or obtain a police report; how a consumer requests a security freeze

and the necessary information to be provided when requesting the security

freeze; and that fees may be required to be paid to the consumer reporting

agencies.



History of Section.

(P.L. 2015, ch. 138, § 2; P.L. 2015, ch. 148, § 2.)