On June 26, Rhode Island Governor Gina Raimondo (D) signed into law Senate Bill 0134, the Rhode Island Identity Theft Protection Act of 2015 (the Act), which clarifies data security measures, expands protection to health data and information in paper form, sets a 45-day notice deadline, requires notification to the state attorney general for some breaches and raises penalties for willful violations of the Act.  When the Act becomes effective, Rhode Island will have one of the shortest statutory deadlines for providing notification.  The Act repeals and replaces Rhode Island’s 2005 breach notification law (132 PRA, 7/12/05).

The law addresses “ambiguities in the existing law, for instance clarifying that municipal agencies are subject to its provisions,” according to a statement by Sen. Louis DiPalma’s office.  The existing statute imposes notice requirements for breaches of unencrypted computerized personal information, while the amended law requires notice for breaches of paper containing personal data.  The law also limits data retention to a period only as long as necessary and requires proper destruction of information when it is no longer retained. Additionally, companies must notify the state attorney general and major credit reporting agencies if more than 500 Rhode Island residents need to be notified of a breach.

Importantly, each company or agency is required to implement “a risk-based information security program” with “reasonable security procedures and practices” appropriate to the size and scope of the organization, the nature of the information, and the purpose for which the information was collected.  For the first time, the statute includes a definition of “encrypted” to require that data be in “a form in which there is a low probability of assigning meaning without use of a confidential process or key.”  The amended law increases the penalty for knowing and willful violations to $200 per record and removes the $25,000 cap for penalties.  The provisions of the law take effect in one year.

Substitute B of S. 0314 is available at http://webserver.rilin.state.ri.us/BillText/BillText15/SenateText15/S0134B.pdf.

Substitute A of H. 5220 is available at http://webserver.rilin.state.ri.us/BillText/BillText15/HouseText15/H5220A.pdf.