Senators Introduce Identity Theft Bill

The following is a State House press release:

In 2005, YouTube got its start and blogs were just beginning to catch on. The latest cellular phones flipped open or featured slide-out keyboards, “push to talk” technology and AOL’s or Yahoo’s instant messenger, and boasted that they could do much of what PDAs could do. A format war was brewing between Blu-ray and HD DVD.

And Rhode Island enacted its current statute protecting consumers from identity theft.

Technology has come a considerable distance in the last decade, and it’s time for the state’s identity theft statute to be brought up to date as well, say Sen. Louis P. DiPalma and Rep. Stephen R. Ucci, the sponsors of the Identity Theft Protection Act of 2015.

The pair is introducing the legislation after working alongside a coalition of law enforcement, legal, technological, communication and finance industry professionals, academics and others for months to craft a bill that would better protect citizens from identity theft and govern the steps that businesses and other entities must take to prevent the theft of personal information from their systems.

Under the Identity Theft Protection Act of 2015 (2015-S 0134), anyone who stores, collects, processes, maintains, acquires, uses, licenses or owns personal information about a Rhode Island resident will be required to implement reasonable security procedures and practices appropriate to the nature of the information and to protect personal information from unauthorized access, use, modification, destruction or disclosure of that personal information. It requires swift notification whenever there is a breach in the security system protecting personal information that poses a risk of identity theft to any Rhode Islander.

The bill is aimed at clarifying what a business or other entity must do in the event of a data security breach to notify those potentially affected.

“Our current identity theft law was a step in the right direction at a time when we didn’t have much on the books defining the crime and seeking to prevent it. But in the decade that’s passed, new technology has developed, hackers have become more adept, and we’ve identified some weaknesses in the law that we need to address. This bill is aimed at giving Rhode Islanders better protection in a rapidly changing world of technology,” said Senator DiPalma (D-Dist. 12, Middletown, Little Compton, Tiverton).

Said Representative Ucci (D-Dist. 42, Johnston, Cranston), “What we discovered in the years that have passed since this law was enacted was that it’s not clear what a business’s responsibility is when it has a data breach, or what they are required to share with law enforcement agencies about it. Data breaches, unfortunately, are a widespread problem, and we need to learn from the experience of recent years to strengthen and clarify this law so it truly prevents identity theft and so businesses and others storing individuals’ information know clearly what their responsibilities are.”

The legislation addresses ambiguities in the existing law, for instance clarifying that municipal agencies are subject to its provisions. It also specifies that those whose information was subject to the breach be notified no later than 15 calendar days after its discovery, instead of “in the most expedient time possible,” as the current law states, and includes information about what must be included in that notice. It also requires that the entity notify the attorney general and major credit reporting agencies immediately, and must cooperate with all federal, state or municipal law enforcement agencies investigating the breach.

It adds medical information, health insurance information and email addresses when acquired with their passwords or other access codes into the current definition of the “personal information” protected by the act.

Additionally, the bill changes penalties for violating the chapter. Currently, each violation could draw up to a $100 civil penalty, not to exceed a $25,000 total. The bill would eliminate the limit on the total fines, and allow each violation to be subject to fines of up to $200 instead of $100 if the violation was knowing and willful.

The legislation broadens a provision by which an entity subject to the law can be deemed compliant to include all that maintain their own similar security breach procedures or is already in compliance with similar federal laws.

The legislation was developed after a workshop on strengthening the law organized in September by the Rhode Island Corporate Cybersecurity Initiative, a part of the Pell Center Cyber Leadership Project, supported by the Verizon Foundation and housed at the Pell Center for International Relations and Public Policy at Salve Regina University in Newport. Those who contributed to its development include John Alfred, Staci Shepherd, Danica Iacoi and Eric Yelle of the State Police; Joee Lindbeck and Matt Lenz of the Attorney General’s Office; Neena Savage of the Department of Business Regulation; Scott Baron and Mike Andreozzi of National Grid; Mary Ann Clancy of the Credit Union Association of Rhode Island; Michele Cinquegrano of Verizon; Will Farrell and Patricia Octeau representing AT&T; Francesca Spidalieri, Jim Ludes, Ken Bell, Teresa Hass and Joseph Grady of the Pell Center; Ellen Giblin of Locke Lord Edwards; and Senate Legal Counsel Patricia Breslin.