From Rhode Island Lawyers Weekly:
The new identity-theft law replaces a similar one enacted by the General Assembly in 2005 and takes effect June 26, 2016.
A central feature of the act is a requirement that businesses, and any other covered entities that acquire the personal information of Rhode Island residents, implement and maintain a “risk-based information security program.” A security program must include “reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information and the purpose for which the information was collected.”
Providence attorney Roger W. Hood recognized an inherent advantage in the “reasonableness” standard adopted by the state legislature.
“It gives small businesses the flexibility to tailor a plan to their needs, balancing both the security requirements that they may have and their overall business requirements,” said Hood, a business and intellectual property lawyer at Duffy & Sweeney.
New G.L. §11-49.3-4(a)(1) obligates covered entities to provide notice to residents whenever a security breach “poses a significant risk of identity theft.” Like the old statute, notice must be provided in the “most expedient time possible.”
The new law, however, adds that notice shall be made “no later” than 45 days after “confirmation of the breach.”
Read full article: Rhode Island Lawyers Weekly