With no Congressional consensus to adopt a federal data privacy and breach notification statute, states are updating and refining their already-existing laws to enact more stringent requirements for companies. Two states recently passed updated data privacy laws with significant changes.
The Rhode Island Identity Theft Protection Act (Rhode Island Data Law), an update to Rhode Island’s already-existing data security and breach notification law, introduces several new requirements for companies that store, collect, process, use or license personal identifying information (PII) about Rhode Island residents.
A few of these provisions are particularly noteworthy. First, the new law requires entities to “implement and maintain a risk-based information security program which contains reasonable security procedures and practices,” scaled to the size of the entity and the type of personal information in its possession. Second, the Rhode Island Data Law requires that any entity that discloses PII to a third party have a written contract with the third party pursuant to which the third party will also implement and maintain an information security program to protect the personal information. Third, the Rhode Island Data Law requires any entity that experiences a data breach of personal information to notify affected residents within 45 calendar days after it knows that a breach has occurred. (Rhode Island also required this under its previous law, but there was no precise time frame.) Among other information, the notification must now contain information about data protection services to be offered to the resident, as well as information about how the resident can request a security credit freeze.
Under both the old and new laws, a health care provider, insurer or covered entity that follows the medical privacy and security rules established by the federal government pursuant to the Health Insurance Portability and Accountability Act (HIPAA) is deemed compliant with the law’s requirements. The Rhode Island Data Law will become effective June 26, 2016.
The Connecticut Act Improving Data Security and Effectiveness (Connecticut Data Law) similarly updates Connecticut’s existing law and introduces more stringent requirements for entities that that store, collect, process, use or license PII about Connecticut residents.
Perhaps most noteworthy, the Connecticut Data Law puts in place important new requirements about notification following a data breach. Unlike the older Connecticut breach notification law, the Connecticut Data Law now requires an entity to notify affected individuals of a data breach within a set time period of 90 days. In addition, if the breach involves disclosure of Social Security numbers, the entity must also provide free credit monitoring services to individuals for one year. Many companies provide credit monitoring at no cost to their customers affected by a data breach voluntarily. However, laws like Connecticut’s make credit monitoring a mandatory part of any company’s response.
Additionally, the Connecticut Data Law imposes significant new requirements on insurers and state contractors that handle PII. Health insurers are required to develop and follow a written data security program, and to certify annually to the state insurance department that it is following its written data security program. State contractors must implement and maintain a data security program to safeguard PII and maintain the information in a secure manner as specified in the statute.
The law’s requirements regarding data breach notification become effective October 1, 2015, but insurers have until October 1, 2017 to create and implement the required written data security program.
These new laws highlight important takeaways for businesses:
Any business operating across multiple states must be aware of the specific requirements of state data privacy and breach laws, and updates to those laws.
If other states follow Rhode Island and Connecticut’s lead, state data security and breach notification requirements will continue to become more, not less, stringent.
Any business that collects or maintains data relating to Rhode Island or Connecticut should evaluate its own policies and procedures regarding data security and breach response, and update those procedures in light of the new requirements.