The Rhode Island updates to its breach law that we previously reported on are now effective. As a reminder, under the amended law, notice is now required 45 days after “confirmation of the breach,” and the Rhode Island attorney general is to be notified if 500 Rhode Island residents are impacted. Also modified under the law, Rhode Island joins the growing list of states that include email addresses and passwords as “triggering information.” In other words, information that, if breached, would give rise to a duty to notify. The law also contains a requirement for maintaining a risk-based information security program, and on a going-forward basis, must contractually require third parties to whom they disclose information to protect that information.
TIP: As a reminder, among other changes, notice to Rhode Island AG will now be required if over 500 residents’ information has been breached, and Rhode Island’s law now contains a 45 day notice requirement (after “confirmation” of the breach).