RISBJ Staff | Jan 14, 2016
by Brian J. Lamoureux
This past spring, Rhode Island Governor Gina Raimondo signed into law the “Rhode Island Identity Theft Protection Act of 2015” (“Act”), substantially reworking Rhode Island’s 2005 data breach and identity protection law. Although the Act does not formally take effect until June of 2016, it is important for businesses to be aware of the Act’s key provisions and to take proactive measures to ensure timely compliance with the Act.
The Act generally applies to any business, person, entity, or municipality who collects and stores “personal information,” such as a person’s first name (or initial) and last name in connection with the following types of data:
- Social security number;
- Driver’s license number, Rhode Island identification card number, or tribal identification number;
- Account number, credit, or debit card number, in combination with any required security code, access code, password, or personal information number (e.g., a “PIN”) permitting access to an individual’s financial account;
- Medical or health insurance information; or
- E-mail address with any required security code, access code, or permitting access to an individual’s personal, medical, insurance or financial accounts.
Anyone subject to the Act must implement and maintain a risk-based information security program that contains reasonable security procedures and practices in light of the size and scope of the organization, the type of information stored, and the reasons why the information was stored and collected. This program must ensure that the information stored is kept confidential and protected from unauthorized access, use, modification, destruction, or disclosure. The Act also imposes strict and swift obligations in the event of a data breach which poses a “significant risk of identity theft” to any Rhode Island resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity. Although these notifications must occur as soon as possible, the Act sets an outside limit of 45 calendar days for the entity to make this notification. The Act also sets forth the particular requirements for the notification, and if there are more than 500 Rhode Islanders to be notified of a breach, the Act requires immediate disclosure of the breach to the Rhode Island Attorney General and the major credit reporting agencies.
Entities who recklessly violate the Act can face severe penalties, including a civil fine up to $100 per breached record. Any knowing or willful violations of the Act carry a $200 penalty per breached record. Further, if the Attorney General’s office has reason to believe that a person or entity has violated the Act, prosecutors are authorized to file legal proceedings against suspected violators.
In summary, the Act provides sweeping changes to Rhode Island law. Until now, if a business had adequate policies and procedures in place to protect information and notify customers in the event of a data breach, chances are those policies and procedures will not be sufficient once the Act takes effect next year. Business would be well-advised to dust off their policies and rework them to ensure they are ready to comply with the Act when it soon becomes law.