|
2005 -- S 0880 | |
|
======= | |
|
LC02571 | |
|
======= | |
|
STATE OF RHODE ISLAND | |
|
| |
|
IN GENERAL ASSEMBLY | |
|
| |
|
JANUARY SESSION, A.D. 2005 | |
|
| |
|
____________ | |
|
| |
|
A N A C T | |
|
RELATING TO CRIMINAL OFFENSES -- COMPUTER CRIME | |
|
|
|
|
|
|
|
Introduced By: Senators DaPonte, McCaffrey, Walaska, Gallo, and Connors | |
|
Date Introduced: March 02, 2005 | |
|
Referred To: Senate Judiciary | |
|
It is enacted by the General Assembly as follows: | |
|
1-1 |
SECTION 1. Chapter 11-52 of the General Laws entitled "Computer Crime" is hereby |
|
1-2 |
amended by adding thereto the following section: |
|
1-3 |
11-52-9. Data theft -- Duty to disclose. – (a) Any state agency or person that owns or |
|
1-4 |
licenses computerized data that includes personal information shall disclose any breach of the |
|
1-5 |
security of the system following discovery or notification of the breach in the security of the data |
|
1-6 |
to any resident of Rhode Island whose unencrypted personal information was, or is reasonably |
|
1-7 |
believed to have been, acquired by an unauthorized person. The disclosure shall be made in the |
|
1-8 |
most expedient time possible and without unreasonable delay, consistent with the legitimate |
|
1-9 |
needs of law enforcement, as provided in subsection (c), or any measures necessary to determine |
|
1-10 |
the scope of the breach and restore the reasonable integrity of the data system. |
|
1-11 |
(b) Any state agency or person that maintains computerized data that includes personal |
|
1-12 |
information that the state agency or person does not own shall notify the owner or licensee of the |
|
1-13 |
information of any breach of security of the data immediately following discovery, if the personal |
|
1-14 |
information was, or is reasonably believed to have been, acquired by an unauthorized person. |
|
1-15 |
(c) The notification required by this section may be delayed if a law enforcement agency |
|
1-16 |
determines that the notification will impede a criminal investigation. The notification required by |
|
1-17 |
this section shall be made after the law enforcement agency determines that it will not |
|
1-18 |
compromise the investigation. |
|
1-19 |
(d) For the purposes of this section, "breach of the security of the system" means |
|
2-1 |
unauthorized acquisition of computerized data that compromises the security, confidentiality, or |
|
2-2 |
integrity of personal information maintained by the state agency or person. Good faith |
|
2-3 |
acquisition of personal information by an employee or agent of the state agency or person for the |
|
2-4 |
purposes of the state agency or person is not a breach of the security of the system; provided, that |
|
2-5 |
the personal information is not used or subject to further unauthorized disclosure. |
|
2-6 |
(e) For the purposes of this section, "personal information" means an individual's first |
|
2-7 |
name or first initial and last name in combination with any one or more of the following data |
|
2-8 |
elements, when either the name or the data elements are not encrypted: |
|
2-9 |
(1) Social security number. |
|
2-10 |
(2) Driver's license number or Rhode Island identification card number. |
|
2-11 |
(3) Account number, credit or debit card number, in combination with any required |
|
2-12 |
security code, access code, or password that would permit access to an individual's financial |
|
2-13 |
account. |
|
2-14 |
(f) For purposes of this section, "personal information" does not include publicly |
|
2-15 |
available information that is lawfully made available to the general public from federal, state or |
|
2-16 |
local government records. |
|
2-17 |
(g) For purposes of this section, "notice" may be provided by one of the following |
|
2-18 |
methods: |
|
2-19 |
(1) Written notice. |
|
2-20 |
(2) Electronic notice, if the notice provided is consistent with the provisions regarding |
|
2-21 |
electronic records and signatures set forth on Section 7001 of Title 15 of the United States Code. |
|
2-22 |
(3) Substitute notice, if the state agency or person demonstrates that the cost of providing |
|
2-23 |
notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of |
|
2-24 |
subject persons to be notified exceeds five hundred thousand dollars ($500,000) or the state |
|
2-25 |
agency or person does not have sufficient contact information. Substitute notice shall consist of |
|
2-26 |
all of the following: |
|
2-27 |
(A) E-mail notice when the state agency or person has an e-mail address for the subject |
|
2-28 |
persons. |
|
2-29 |
(B) Conspicuous posting of the notice on the state agency's or person's website page, if |
|
2-30 |
the state agency or person maintains one. |
|
2-31 |
(C) Notification to major statewide media. |
|
2-32 |
(h) Notwithstanding subdivision (g) a state agency or person that maintains its own |
|
2-33 |
notification procedures as part of an information security policy for the treatment of personal |
|
2-34 |
information and is otherwise consistent with the timing requirements of this part shall be deemed |
|
3-1 |
to be in compliance with the notification requirements of this section if it notifies subject persons |
|
3-2 |
in accordance with its policies in the event of a breach of security of the system. |
|
3-3 |
SECTION 2. This act shall take effect upon passage. |
|
| |
|
======= | |
|
LC02571 | |
|
======== | |
|
EXPLANATION | |
|
BY THE LEGISLATIVE COUNCIL | |
|
OF | |
|
A N A C T | |
|
RELATING TO CRIMINAL OFFENSES -- COMPUTER CRIME | |
|
*** | |
|
4-1 |
This act would establish a duty to disclose any breach of security of a computerized data |
|
4-2 |
system. |
|
4-3 |
This act would take effect upon passage. |
|
| |
|
======= | |
|
LC02571 | |
|
======= |