By Roger Hood | Governor Raimondo signed the Rhode Island Identity Theft Protection Act of 2015 in June, which will take effect in one year. The Act replaces the 2005 Identity Theft Protection Act and applies to all “persons” that store, collect, process, maintain, acquire, use, own, or license “personal information” about a Rhode Island resident. The definition of persons includes all individuals, including companies. The definition of personal information is consistent with other security definitions for personal information and includes social security numbers, drivers’ license numbers, and credit card numbers.
Each person/company is required to implement and maintain a risk-based information security program that contains reasonable security practices appropriate to the size of the organization, the nature of the personal information, and the purpose for which the information is collected. The program must include a document retention and destruction policy. In addition, any personal information shared with unaffiliated third parties must be by written contract and include consistent security measures.
The Act requires a person that experiences a data breach “… which poses a risk of identity theft to any resident of Rhode Island ….” to notify all affected individuals within 45 calendar days after discovery of the breach, unless delayed by a law enforcement agency. The Act also requires notice to the attorney general and major credit reporting agencies following a data breach if the breach affects more than 500 Rhode Island residents.
Data security is big business. To date, forty-seven states have enacted legislation that require entities to notify individuals of security breaches of personal information. With the revised Act, Rhode Island now joins eight other states that require notification of security breaches involving personal information within a specific time-frame, and twenty-five other states that require notice to an attorney general or a state agency.
To learn more, contact Roger Hood.