Rhode Island Governor signs new comprehensive Identity Theft Protection Act

Robinson+Cole Data Privacy + Security Insider

On June 26, 2015, Rhode Island Governor Gina Raimondo signed Senate Bill S0134, the Rhode Island Identity Theft Protection Act of 2015, which substantially revises the old law, including breach notification.

Specifically, the new law requires municipal agencies, state agencies and any “person” that “stores, collects, processes, maintains, acquires, uses, owns or licenses personal information about a Rhode Island resident” to implement “a risk-based information security program” which “contains reasonable security procedures and practices…in order to protect the personal information from unauthorized access, use, modification, destruction or disclosure…”

The law further requires agencies and businesses to implement a written document retention policy and not retain personal information longer than is necessary for the purpose for which it was collected and destroying the information in a secure manner including shredding, pulverization, incineration or erasure.

In addition, all agencies and businesses that disclose personal information of Rhode Island residents to a third party must have a written contract in place with the third party ensuring that the third party has implemented and maintains reasonable security procedures and practices to protect the information.

If an agency or business suffers a data breach, the agency or business must notify individuals of the breach within forty-five (45) days of confirmation of the breach. This is one of the shortest periods of time in national data breach laws. Further, if the breach affects more than 500 individuals, the agency or business must notify the Attorney General, which is also a new provision.

Following Massachusetts, the law sets forth the specific requirements of the notification letter, including that the individual is entitled to file a police report and how to obtain a credit freeze.

Penalties for violation of the Act include a civil suit by the Attorney General and $100 per record for reckless violation of the Act and $200 for knowing or willful violation.

The Act becomes effective on June 26, 2016.

[view source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.