The bill amends Section 11-49.3-4 of the Identity Theft Protection Act of 2015, expanding the responsibilities of municipal and state agencies, as well as any other entities that handle personal data, in the event of a security breach. Key insertions include the requirement for these entities to notify affected individuals of any breach without unreasonable delay, and to cooperate with the owner or licensor of the data by providing details about the breach, including the date and steps taken to mitigate it. Additionally, the bill mandates that if more than 500 residents are affected, the agencies must notify the Attorney General, the Department of Business Regulation, and major credit reporting agencies regarding the breach's timing, content, and the number of individuals impacted.

The bill also specifies that notifications to affected individuals must include detailed information about the breach, such as the type of information compromised and available remediation services. It emphasizes that no fees should be charged to consumers requesting a security freeze due to a breach. Furthermore, it clarifies that any delays in notification due to law enforcement requests must be communicated promptly, and that entities failing to notify as required may face penalties. Overall, the bill aims to enhance consumer protection and ensure better communication and cooperation in the event of data breaches.

Statutes affected:
5301: 11-49.3-4