New RI Identity Theft Protection Act Requires Businesses Adopt Cybersecurity Measures

It is not uncommon these days to open the newspaper to reports of businesses fallen victim to cyber attacks. But, while front page news tends to focus on security breaches of companies of the "fortune 500" caliber, cyber attacks waged upon small family and middle market businesses actually occur with greater frequency. In an article published in 2015 by SEC Commissioner Luis A. Aguilar, "The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses," the author notes that the FBI reports that ransomware attacks, standing alone, cost companies around the world more than $1 billion between October 2013 and June 2015. While companies of all sizes have lost money to such schemes, small and medium-sized businesses are believed to be the biggest targets.

In response, the Rhode Island General Assembly adopted the Rhode Island Identity Theft Protection Act of 2015. Effective at the end of July 2016, the law is a consumer protection-based statute, which places new responsibilities upon businesses operating in Rhode Island to protect consumer data and to notify consumers in the event of a security breach. Some of the more critical components of the Act, from the business owner and operator perspectives, are as follows:

1. The Act now mandates that all businesses, regardless of size or industry, adopt "risk- based" cybersecurity policies and procedures to secure consumer information and to address cybersecurity breaches. The law requires that these procedures - which should be solidified in written policy form- must be bespoke to the business adopting them. In other words, a businesses' cybersecurity policy should be one that is appropriate for the size and nature of the business, as well as the information collected and stored. The security policy must also set forth procedures for the safe and timely destruction of consumer personal information, including policies which mandate the retaining of personal information only for such period of time as may be required for the business to provide the goods or services for which it was engaged to provide.

2. The Act also provides for expedited notice requirements to consumers in the event of a data breach. Businesses must now notify consumers of breaches as soon as possible, but no later than 45 days after the breach is discovered. Moreover, businesses who suffer information breaches involving more than 500 Rhode Island residents are required to notify the Office of the Attorney General and major credit card reporting agencies.

3. The Act has teeth. Rhode Island businesses that suffer a security breach and do not have a security policy in place and/or which fail to meet the notification requirements of the Act, are subject to substantial penalties: $100 per record for "reckless", and $200 per record for "willful" violations. Whereas the predecessor Rhode Island law provided a cap on the amount of damages a business would pay for falling short of statutory requirements in relation to the protection of consumer data ($25,000), the new law removes this finite cap. Accordingly, a substantial data breach, coupled with company noncompliance with the Act could result in business paying substantial penalties.

The only way to avoid penalties under the Act is to adopt written cybersecurity procedures, and for business to follow the "letter of the law." A business attorney familiar with the Act and the workings of business organizations is likely in the best position to assist in tailoring requisite policies and procedures. If you are interested in learning more about how to protect to business or organization against cyber attacks, contact business lawyer Benjamin L. Rackliffe at 401-824-5100 or email [email protected] We welcome your comments, questions and suggestions.

No Comments

Leave a comment
Comment Information

Contact Our Firm And Schedule A Consultation

Work with our experienced team of lawyers. Call 866-353-3310 or email us today to schedule a consultation.

View Office Locations

Bold labels are required.

Contact Information

The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.

Email Us For A Response

Rhode Island
Northwoods Office Park
1301 Atwood Ave.
Suite 215 N
Johnston, RI 02919

Toll Free: 866-353-3310
Phone: 401-824-5100
Fax: 401-824-5123
Map & Directions

One International Place
Suite 1400
Boston, MA 02110

Toll Free: 866-353-3310
Fax: 866-353-5020
Map & Directions

Wells Fargo Plaza
925 South Federal Highway
Suite 715
Boca Raton, FL 33432

Phone: 561-362-2030
Fax: 866-353-5020
Map & Directions

901 Main Street
Suite O
Osterville, MA 02655

Phone: 508-420-7159
Fax: 508-420-7162
Map & Directions

GPS Directions to this office: 555 Valley Street, Providence, RI 02908