On June 26, 2015, the “Rhode Island Identity Theft Protection Act of 2015” was signed into law. The new law requires state agencies, municipal agencies, and any “person” that “stores, collects, processes, maintains, acquires, uses, owns or licenses personal information about a Rhode Island resident” to create a security program with “procedures and practices…to protect the personal information from unauthorized access, use, modification, destruction or disclosure.” The law requires agencies and businesses that share personal information of Rhode Island residents  with a third party to have a written contract with the third party establishing security procedures and practices to safeguard the information.

Additionally, the law dictates that agencies and businesses must: have a written document retention policy; dispose of personal information after it has served the purpose for which it was collected; and destroy any information using a secure method such as incineration, shredding, or pulverization.

In the event of a data breach, the new law requires a breached agency or business to notify affected individuals within 45 days of breach confirmation. For any breach affecting more than 500 individuals, the breached entity must also provide notification to the Attorney General. Penalties for a violation of the Act may include monetary fines for reckless, knowing, or willful violations of the Act and a civil suit from the Attorney General. The law goes into effect June 26, 2016.