§ 19-14-36. Notification of a security event.
(a) Each licensee shall notify the director or the director's designee as promptly as
possible, but in no event later than three (3) business days from a determination
that a security event has occurred when either of the following criteria has been
met:
(1) A security event impacting the licensee of which notice is required to be provided
to any governmental body, self-regulatory agency, or any other supervisory body pursuant
to any state or federal law; or
(2) A security event that has a reasonable likelihood of materially harming;
(i) Any consumer residing in this state; or
(ii) Any material part of the normal operation(s) of the licensee.
(b) The licensee shall provide any information required by this section in electronic
form as directed by the director or the director's designee. The licensee shall have
a continuing obligation to update and supplement initial and subsequent notifications
to the director or the director's designee concerning the security event. The following
information shall be provided:
(1) The name and contact information of the reporting licensee;
(2) A description of the types of information that were involved in the notification event;
(3) If the information is possible to determine, the date or date range of the notification
event;
(4) The total number of consumers in this state affected or potentially affected by the
notification event. The licensee shall provide the best estimate in the initial report
to the director or the director's designee and update this estimate with each subsequent
report;
(5) A general description of the notification event including how the information was
exposed, lost, stolen, or breached, detailing specific roles and responsibilities
of third-party service providers, if any;
(6) A description of efforts being undertaken to remediate the situation that permitted
the security event to occur; and
(7) Whether any law enforcement official has provided the licensee with a written determination
that notifying the public of the breach would impede a criminal investigation or cause
damage to national security, and a means for the director or the director's designee
to contact the law enforcement official. A law enforcement official may request an
initial delay of up to thirty (30) days following the date when notice was provided
to the director or the director's designee. The delay may be extended for an additional
period of up to sixty (60) days if the law enforcement official seeks such an extension
in writing. Additional delay may be permitted only if the director or the director's
designee determines that public disclosure of a security event continues to impede
a criminal investigation or cause damage to national security.
(8) Name of contact person who is both familiar with the security event and is authorized
to act for the licensee.
(c) A licensee shall comply with chapter 49.3 of title 11, as applicable, and provide a copy of the notice sent to consumers under that chapter
to the director or the director's designee, when a licensee is required to notify
the director or the director's designee.
(d) The provisions of this section shall not apply to any regulated institution as defined
in § 19-1-1, or subsidiary of such regulated institution, or any bank holding company or subsidiary
of a bank holding company subject to federal bank holding company laws and regulations.