Citing the increasing rate in which consumers information is compromised due to data breaches at companies, Attorney General Kilmartin has authored legislation that would, among other things, require that entities who disclose a breach to a victim who is a Rhode Island resident must provide one year of credit monitoring at no cost to the victim.
The legislation - 2014 H7519 "An Act Relating to Criminal Offenses – Identity Theft Protection" - introduced by Representative Brian P. Kennedy (D-District 38. Hopkinton, Westerly), is scheduled to be heard before the House Judiciary Committee this afternoon.
"As we have seen recently in the data breaches of Target and Neiman Marcus, data breaches are occurring more frequently, are more sophisticated and are affecting hundreds of millions of consumers. It is imperative that our data breach laws provide better protection for consumers and provide the necessary tools to prosecute those who take advantage of stolen consumer information," said Attorney General in a letter to the Committee.
The bill amends section 11-49.2-3 ("Notification of a Breach") to provide that entities who must disclose a breach to a Rhode Island resident must also provide the resident with one year of credit monitoring at no cost to the resident. This is a practice that many entities are choosing to provide consumers who have been affected by a data breach, although others provide merely a ninety (90) day fraud alert. Providing one year of credit monitoring to harmed consumers would ensure that consumers are aware of any further damage to their financial well being.
Additionally, the section is amended to provide, in addition to the disclosure of the breach to the consumer, a statement that includes, but is not limited to, the toll-free numbers and addresses for the consumer reporting agencies; the toll-free number, address and website for the Federal Trade Commission; and a statement that an individual can obtain information from these sources regarding fraud alerts and security freezes.
The statute is further amended to require a statement that warns consumers about possible imposters who attempt to fraudulently notify individuals of security breaches in an attempt to obtain personal information from them. Unfortunately fraudulent notification of security breaches is increasing with concerning frequency. These imposters use the vulnerability of an individual harmed by a security breach to further victimize them by obtaining their personal information under the guise of trying to assist them.
Section 11-49.2-5 ("Definitions") would be amended to clarify the definition of "personal information." The new act would repeal the requirement that in order to qualify as personal information an account number, credit or debit card number need to be breached in combination with any required security code, access code or password. Additionally, the act would include personal identification numbers to the definition of "personal information." As technology advances the amount of a consumer's personal information is more accessible than ever before. The ability for a bad actor to find a consumer's PIN number to a debit card or access personal information through a customer loyalty account is becoming effortless. Therefore, it is necessary that our laws are equipped to handle new trends of data breach practices.