Identity Theft Protection Act of 2015
§ 11-49.3-4 Notification of breach.
[Effective July 2, 2016.].
(a)(1) Any municipal agency, state agency, or person that stores, owns,
collects, processes, maintains, acquires, uses, or licenses data that includes
personal information shall provide notification as set forth in this section of
any disclosure of personal information, or any breach of the security of the
system, that poses a significant risk of identity theft to any resident of
Rhode Island whose personal information was, or is reasonably believed to have
been, acquired by an unauthorized person or entity.
(2) The notification shall be made in the most expedient time
possible, but no later than forty-five (45) calendar days after confirmation of
the breach and the ability to ascertain the information required to fulfill the
notice requirements contained in subsection (d) of this section, and shall be
consistent with the legitimate needs of law enforcement as provided in
subsection (c) of this section. In the event that more than five hundred (500)
Rhode Island residents are to be notified, the municipal agency, state agency,
or person shall notify the attorney general and the major credit reporting
agencies as to the timing, content, and distribution of the notices and the
approximate number of affected individuals. Notification to the attorney
general and the major credit reporting agencies shall be made without delaying
notice to affected Rhode Island residents.
(b) The notification required by this section may be delayed
if a federal, state, or local law enforcement agency determines that the
notification will impede a criminal investigation. The federal, state, or local
law enforcement agency must notify the municipal agency, state agency, or
person of the request to delay notification without unreasonable delay. If
notice is delayed due to such determination, then, as soon as the federal,
state, or municipal law enforcement agency determines and informs the municipal
agency, state agency, or person that notification no longer poses a risk of
impeding an investigation, notice shall be provided as soon as practicable
pursuant to subsection (a)(2). The municipal agency, state agency, or person
shall cooperate with federal, state, or municipal law enforcement in its
investigation of any breach of security or unauthorized acquisition or use,
which shall include the sharing of information relevant to the incident;
provided however, that such disclosure shall not require the disclosure of
confidential business information or trade secrets.
(c) Any municipal agency, state agency, or person required to
make notification under this section and fails to do so is liable for a
violation as set forth in § 11-49.3-5.
(d) The notification to individuals must include the
following information to the extent known:
(1) A general and brief description of the incident,
including how the security breach occurred and the number of affected
(2) The type of information that was subject to the breach;
(3) Date of breach, estimated date of breach, or the date
range within which the breach occurred;
(4) Date that the breach was discovered;
(5) A clear and concise description of any remediation
services offered to affected individuals including toll free numbers and
websites to contact: (i) The credit reporting agencies; (ii) Remediation
service providers; (iii) The attorney general; and
(6) A clear and concise description of the consumer's ability
to file or obtain a police report; how a consumer requests a security freeze
and the necessary information to be provided when requesting the security
freeze; and that fees may be required to be paid to the consumer reporting
History of Section.
(P.L. 2015, ch. 138, § 2; P.L. 2015, ch. 148, § 2.)