Rhode Island Governor Signs Comprehensive Identity Theft Protection Act

McGuireWoods LLP
Contact

On June 26, Rhode Island Governor Gina Raimondo (D) signed into law Senate Bill 0134, the Rhode Island Identity Theft Protection Act of 2015 (the Act), which clarifies data security measures, expands protection to health data and information in paper form, sets a 45-day notice deadline, requires notification to the state attorney general for some breaches and raises penalties for willful violations of the Act.  When the Act becomes effective, Rhode Island will have one of the shortest statutory deadlines for providing notification.  The Act repeals and replaces Rhode Island’s 2005 breach notification law (132 PRA, 7/12/05).

The law addresses “ambiguities in the existing law, for instance clarifying that municipal agencies are subject to its provisions,” according to a statement by Sen. Louis DiPalma’s office.  The existing statute imposes notice requirements for breaches of unencrypted computerized personal information, while the amended law requires notice for breaches of paper containing personal data.  The law also limits data retention to a period only as long as necessary and requires proper destruction of information when it is no longer retained. Additionally, companies must notify the state attorney general and major credit reporting agencies if more than 500 Rhode Island residents need to be notified of a breach.

Importantly, each company or agency is required to implement “a risk-based information security program” with “reasonable security procedures and practices” appropriate to the size and scope of the organization, the nature of the information, and the purpose for which the information was collected.  For the first time, the statute includes a definition of “encrypted” to require that data be in “a form in which there is a low probability of assigning meaning without use of a confidential process or key.”  The amended law increases the penalty for knowing and willful violations to $200 per record and removes the $25,000 cap for penalties.  The provisions of the law take effect in one year.

Substitute B of S. 0314 is available at http://webserver.rilin.state.ri.us/BillText/BillText15/SenateText15/S0134B.pdf.

Substitute A of H. 5220 is available at http://webserver.rilin.state.ri.us/BillText/BillText15/HouseText15/H5220A.pdf.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McGuireWoods LLP | Attorney Advertising

Written by:

McGuireWoods LLP
Contact
more
less

McGuireWoods LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide