On June 26, 2015, Rhode Island Governor Gina Raimondo signed the “Rhode Island Identity Theft Protection Act of 2015” (“Act”), substantially reworking Rhode Island’s 2005 data breach and identity protection laws. Although it does not formally take effect until June of 2016, it is important for businesses to be aware of the Act’s key provisions and to take proactive measures to ensure timely compliance.
The Act generally applies to any business, person, entity, or municipality that collects and stores “personal information,” such as a person’s first name (or initial) and last name in connection with the following types of additional data:
- Social security number;
- Driver’s license number, Rhode Island identification card number, or tribal identification number;
- Account number, credit, or debit card number, in combination with any required security code, access code, password, or personal information number (e.g., a “PIN”) permitting access to an individual’s financial account;
- Medical or health insurance information; or
- E-mail address with any required security code, access code, or permitting access to an individual’s personal, medical, insurance or financial accounts.
Persons or companies subject to the Act must implement and maintain a risk-based information security program that contains reasonable security procedures and practices in light of the size and scope of the organization, the type of information stored, and the reasons why the information was stored and collected. This program must ensure that the information stored is kept confidential and protected from unauthorized access, use, modification, destruction, or disclosure.
The Act also imposes strict obligations for swift action in the event of data breaches, which pose a “significant risk of identify theft” to any Rhode Island resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity. Although these notifications must occur as soon as possible, the Act sets an outside limit of 45 calendar days for the entity to make this notification. The Act also sets forth the particular requirements for the notification, and if there are more than 500 Rhode Islanders to be notified of a breach, the Act requires immediate disclosure of the breach to the Rhode Island Attorney General and the major credit reporting agencies.
Entities that recklessly violate the Act can face severe penalties, including civil fines of up to $100 per breached record. Any knowing or willful violations of the Act carry a $200 penalty per breached record. Further, if the Attorney General’s office has reason to believe that a person or entity has violated the Act, prosecutors are authorized to file legal proceedings against suspected violators.
In summary, the Act provides sweeping changes to Rhode Island law. It’s reasonably likely that many previously implemented data protection policies and procedures will not be compliant with the new Act, and affected individuals, businesses and municipalities are well-advised to revisit old policies to ensure compliance by 2016.