Rhode Island Amends Identity Theft Protection Act

Theodore Augustinos
Locke Lord LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Rhode Island recently amended its 10-year-old Identity Theft Protection Act effective June 26, 2016, further defining and refining existing data security and breach notification requirements, and adding a requirement to notify the Rhode Island Attorney General of certain breaches. More specifically, the amended statute, available here, makes the following changes to Rhode Island’s existing information security and breach notification law:

  • Modifies the requirement to implement and maintain reasonable policies and procedures to protect personal information of Rhode Island residents, now called a “risk based information security program.”
  • Requires secure destruction of personal information, and prohibits its retention longer than is reasonably required to provide the services requested, to meet the purposes for which it was collected or in accordance with a written retention policy or as may be required by law.
  • Requires that the Rhode Island Attorney General and major credit reporting agencies be notified of data breaches in which more than 500 Rhode Island residents are to be notified.
  • Specifies that breach notification must be provided to affected individuals “in the most expedient time possible but no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements.” (Current law requires notice “in the most expedient time possible and without unreasonable delay.”)
  • Expands the definition of “personal information” triggering breach notification obligations to include medical information and health insurance information, tribal identification numbers and e-mail addresses with any required security code, access code or password that would permit access to an individual’s personal, medical, insurance or financial account.
  • Broadens the definition of “breach of the security of the system” to include “unauthorized access” in addition to “acquisition of” computerized data. (We note, however, that the breach notification requirement is still triggered by acquisition, not access.)
  • Narrows the encryption exception to the breach notification requirement to 128 bit key length or greater encryption.
  • Adds required content for breach notification letters to Rhode Island residents.
  • No longer requires consultation with law enforcement for a data breach risk of harm determination.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP
Locke Lord LLP
Contact
more
less

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide