Rhode Island has amended its data breach law to add stricter security and notification requirements.  Under S. 0134, which was signed into law on June 26, individuals, municipal agencies, and state agencies that handle state residents’ personal information must implement a “risk-based information security program which contains reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information and the purpose for which the information was collected.”  These entities must also destroy all personal information in a secure manner and avoid retaining it for longer than necessary or required by law.  Additionally, the law expands the definition of personal information to include medical and health insurance information, as well as email addresses when acquired with passwords or other access codes “that would permit access to an individual’s personal, medical, insurance or financial account.”  The law applies to paper records as well as unencrypted electronic information and takes effect June 26, 2016.