President Barack Obama recognized in a speech he gave at the Federal Trade Commission on January 12th that identity theft poses a direct threat to the financial security of Americans.
President Obama acknowledged, “We’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused. Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies – and it’s costly, too, to have to comply with this patchwork of laws. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days.”
During the last decade there has been similar proposed legislation to harmonize the 50 states and the territories within one federal data breach notification law. To date, no such law has passed. According to the FTC’s Consumer Sentinel Network Data Book for 2013 (2014), the CSN received over 2 million consumer complaints in 2013, and identity theft complaints accounted for 14% of all complaints. Government documents/benefits fraud (34%) was the most common form of reported identity theft, followed by credit card fraud (17%), phone or utilities fraud (14%), and bank fraud (8%). Other significant categories of identity theft reported by victims were employment-related fraud (6%) and loan fraud (4%).
Rhode Island’s legislative leadership took action to protect the personal information of Rhode Island residents. Senator Louis P. DiPalma and Representative Stephen R. Ucci, the sponsors of the Identity Theft Protection Act of 2015 (S0134), noted in a Rhode Island State House Press Release, “Technology has come a considerable distance in the last decade, and it’s time for the state’s identity theft statute to be brought up to date as well.” The release noted the pair introduced the legislation to craft a bill that would better protect citizens from identity theft and govern the steps that businesses and other entities must take to safeguard their systems and prevent the theft of personal information whether in electronic or paper format from their systems.
“Our current identity theft law was a step in the right direction at a time when we didn’t have much on the books defining the crime and seeking to prevent it. But in the decade that’s passed, new technology has developed, hackers have become more adept, and we’ve identified some weaknesses in the law that we needed to address. This bill is aimed at giving Rhode Islanders better protection in a rapidly changing world of technology,” said Senator DiPalma.
Representative Ucci stated, “Data breaches, unfortunately, are a widespread problem, and we need to learn from the experience of recent years to strengthen and clarify this law so it truly prevents identity theft and so businesses and others storing individuals’ information know clearly what their responsibilities are.”
The legislation addresses ambiguities in the existing law by repealing it and redrafting it to:
- clarify that municipal agencies are subject to its provisions;
- specify that those whose information was subject to the breach be notified no later than 15 calendar days after its discovery and listing which information must be included in that notice;
- require that the entity notify the Rhode Island Attorney General and major credit reporting agencies immediately, and that the entity must cooperate and share threat information with all federal, state, or municipal law enforcement agencies investigating the breach; and
- define “personal information” protected by the act to include medical information, health insurance information, and email addresses when acquired with their passwords or other access codes.
The most remarkable addition is the new data security requirements. Now any agency or person that stores, collects, processes, maintains, acquires, uses, owns or licenses personal information about a Rhode Island resident shall be required to implement and maintain a risk-based information security program which contains reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information and the purpose for which the information was collected in order to protect the personal information. Many of the safeguarding requirements in the new legislation are similar to the current Massachusetts Data Security Regulations found at 201 CMR 17, especially regarding vendor management. Additionally, the legislation broadens a provision that allows an entity subject to the law to be deemed compliant with notification requirements if the entity maintains its own similar security breach procedures or the entity is already in compliance with similar federal laws.
Currently, each violation under the existing data breach notification law could draw up to a $100 civil penalty, not to exceed a $25,000 total. The legislation increases the civil penalties for violating the chapter. The bill would eliminate the limit on the total fines, and allow each violation to be subject to fines of $100 to $200 per record, if the violation was reckless and up to the higher amount, if the violation is knowing and willful.
The legislation was developed after a workshop on strengthening the law organized in September by the Rhode Island Corporate Cybersecurity Initiative, a part of the Pell Center Cyber Leadership Project, supported by the Verizon Foundation and housed at the Pell Center for International Relations and Public Policy at Salve Regina University in Newport.