The Rhode Island General Assembly amended the state’s data breach law, known as the Rhode Island Identity Theft Protection Act (Act) that makes significant changes to notification requirements for state and municipal agencies in the event of a data breach.

The Act requires state agencies and municipalities to notify the State Police of an incident within 24 hours of discovery of the incident, notify individuals as expediently as possible, within 30 days (as opposed to 45 days for non-public agencies), and to notify the collective bargaining agent if any of the recipients of the notice are represented by a labor union through a collective bargaining unit.

In addition, the new amendment requires all data breaches that affect more than 500 Rhode Islanders to notify the Attorney General, major credit reporting agencies “as to the timing, content, and distribution of the notice and the approximate number of affected individuals.”

Finally, the amendment requires state and municipal agencies to provide five years of remediation services for individuals over the age of 18, and coverage for minors until they reach the age of 20. The amendment became effective upon passage.