On June 26, 2015, Rhode Island Governor Gina Raimondo signed Senate Bill S0134, the Rhode Island Identity Theft Protection Act of 2015, which substantially revises the old law, including breach notification.
Specifically, the new law requires municipal agencies, state agencies and any “person” that “stores, collects, processes, maintains, acquires, uses, owns or licenses personal information about a Rhode Island resident” to implement “a risk-based information security program” which “contains reasonable security procedures and practices…in order to protect the personal information from unauthorized access, use, modification, destruction or disclosure…”
The law further requires agencies and businesses to implement a written document retention policy and not retain personal information longer than is necessary for the purpose for which it was collected and destroying the information in a secure manner including shredding, pulverization, incineration or erasure.
In addition, all agencies and businesses that disclose personal information of Rhode Island residents to a third party must have a written contract in place with the third party ensuring that the third party has implemented and maintains reasonable security procedures and practices to protect the information.
If an agency or business suffers a data breach, the agency or business must notify individuals of the breach within forty-five (45) days of confirmation of the breach. This is one of the shortest periods of time in national data breach laws. Further, if the breach affects more than 500 individuals, the agency or business must notify the Attorney General, which is also a new provision.
Following Massachusetts, the law sets forth the specific requirements of the notification letter, including that the individual is entitled to file a police report and how to obtain a credit freeze.
Penalties for violation of the Act include a civil suit by the Attorney General and $100 per record for reckless violation of the Act and $200 for knowing or willful violation.
The Act becomes effective on June 26, 2016.