Rhode Island recently amended its 10-year-old Identity Theft Protection Act effective June 26, 2016, further defining and refining existing data security and breach notification requirements, and adding a requirement to notify the Rhode Island Attorney General of certain breaches. More specifically, the amended statute, available here, makes the following changes to Rhode Island’s existing information security and breach notification law:

  • Modifies the requirement to implement and maintain reasonable policies and procedures to protect personal information of Rhode Island residents, now called a “risk based information security program.”
  • Requires secure destruction of personal information, and prohibits its retention longer than is reasonably required to provide the services requested, to meet the purposes for which it was collected or in accordance with a written retention policy or as may be required by law.
  • Requires that the Rhode Island Attorney General and major credit reporting agencies be notified of data breaches in which more than 500 Rhode Island residents are to be notified.
  • Specifies that breach notification must be provided to affected individuals “in the most expedient time possible but no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements.” (Current law requires notice “in the most expedient time possible and without unreasonable delay.”)
  • Expands the definition of “personal information” triggering breach notification obligations to include medical information and health insurance information, tribal identification numbers and e-mail addresses with any required security code, access code or password that would permit access to an individual’s personal, medical, insurance or financial account.
  • Broadens the definition of “breach of the security of the system” to include “unauthorized access” in addition to “acquisition of” computerized data. (We note, however, that the breach notification requirement is still triggered by acquisition, not access.)
  • Narrows the encryption exception to the breach notification requirement to 128 bit key length or greater encryption.
  • Adds required content for breach notification letters to Rhode Island residents.
  • No longer requires consultation with law enforcement for a data breach risk of harm determination.