The bill amends Section 11-49.3-4 of the Identity Theft Protection Act of 2015, expanding the responsibilities of municipal and state agencies, as well as any other entities that store, own, collect, process, maintain, acquire, use, or license data, in the event of a security breach. Key changes include the requirement for these entities to notify affected individuals of any breach in the most expedient time possible and without unreasonable delay. Additionally, they must cooperate with the owner or licensor of the data, which includes informing them of the breach, the date and approximate time of the breach, and any steps taken to minimize the breach upon discovery, while ensuring that confidential business information or trade secrets are not disclosed.

If more than 500 residents are affected, the entities must notify the attorney general, the Department of Business Regulation, and major credit reporting agencies regarding the breach. Notifications to individuals must include detailed information about the breach, such as the nature of the breach, the number of people affected, the name and address of the reporting agency, person, or entity, the person responsible for the breach (if known), and the type of personal information compromised, including but not limited to social security numbers, bank account numbers, and credit/debit card numbers.

Furthermore, the bill specifies that no fees may be required to be paid to consumer reporting agencies when any person requests a security freeze as a result of a breach. The act is designed to enhance consumer protection and ensure accountability for breaches of personal information. The changes will take effect upon passage of the bill.

Statutes affected:
5301: 11-49.3-4