As we mentioned before, Rhode Island amended its Identity Theft Protection Act on June 30, 2015, which will become effective on June 26, 2016. Now is the time to think about and put processes in place for compliance with the law by that date. This includes implementing data security measures for the personal information of Rhode Island residents.
The biggest changes to the law from its previous version include:
1) Individuals affected by a data breach must be notified within 45 days of the breach. In the general scheme of state laws, this notification time period is one of the shortest and a close eye should be kept on this deadline.
2) Any entity or person that “stores, collects, processes, maintains, acquires, uses, owns or licenses personal information about a Rhode Island resident shall implement and maintain a risk-based information security program” to protect the information. This basically means any employer in the State of Rhode Island must implement a data security program, as all employers hold the personal information, including the Social Security number, of its employees. This is similar to a Written Information Security Program in Massachusetts, and a Comprehensive Information Security Program required in Connecticut. If you already have a WISP in place to comply with the Massachusetts data security regulations, you may wish to consider updating the WISP to include the new provisions in Rhode Island and Connecticut so the policy complies with the requirements of all three states.
3) There are very specific statutory requirements of what has to be in the security program. It must be in writing and include specific security requirements, including, but not limited to, access controls, security measures to protect the information from unauthorized access, use and disclosure, and processes around data retention and destruction.
4) Health insurance information and medical information are now included in the definition of personal information.
5) Notification to individuals must include information about the individual’s right to file or obtain a police report, how to request a security freeze and fees that may be applicable for security freezes, and contact information for credit reporting agencies, remediation service providers and the Attorney General.
6) The Attorney General of Rhode Island must be notified in the event of a data breach involving more than 500 individuals.
7) Penalties for violation are $100 per record for a reckless violation; and $200 per record for a knowing and willful violation. The Attorney General may bring an action against the business or person in violation of the statute.
We have been helping clients with compliance with the new Rhode Island requirements. You may wish to review your data security measures and implement a written information security program that complies with the new Rhode Island law so you will be in good shape when it becomes effective on June 26, 2016.