Rhode Island enacts Identity Theft Protection Act of 2015

July 06, 2015

Privacy Alert

Author(s): Stephen D. Zubiago, Steven M. Richard

On June 26, Rhode Island Governor Gina Raimondo signed the Rhode Island Identity Theft Protection Act of 2015 (the “2015 Act”). See P.L. 2015, ch. 138. The Rhode Island General Assembly passed the 2015 Act with bipartisan support, and the new law repeals entirely Rhode Island’s existing identity theft protection provisions enacted in 2005. The 2015 Act, which will take effect in one year, clarifies uncertainties that have grown under the state’s current identity theft laws over the past decade, expands the protections afforded to Rhode Island residents, and imposes specific notification requirements in the event of a breach. Many of the safeguarding requirements codified in the 2015 Act are similar to those stated in Massachusetts’ Data Security Regulations.

To assist in your compliance with the 2015 Act’s requirements, we address its provisions in this alert:

Who is subject to the 2015 Act?

The 2015 Act applies to persons (including individuals and business entities), state agencies and municipal agencies. Unlike the current law, the 2015 Act expressly includes municipal agencies as subject to its requirements. All persons, state agencies and municipal agencies must protect the personal information about a Rhode Island resident that they store, collect, process, maintain, acquire, use, own or license.

How is personal information defined?

Personal information is defined broadly to mean an individual’s first name or first initial and last name, in combination with any one or more of the following data elements, when the name and data elements are not encrypted or are in hard copy paper format:

  • Social security number;
  • Driver license number, Rhode Island identification number or tribal identification number;
  • Account number, credit or debit card number, with any required code or password that would permit access to an individual’s financial account;
  • Medical or health insurance information; or
  • E-mail address with any required code or password that would permit access to an individual’s personal, medical, insurance or financial account.

The new law also adds a definition of “encrypted” to require that data be in “a form in which there is a low probability of assigning meaning without use of a confidential process or key.”

What must be done to protect the personal information of a Rhode Island resident?

The 2015 Act requires the implementation and maintenance of a “risk-based information security program,” which must contain reasonable security procedures and practices consistent with the size and scope of the organization, the nature of the information and the purpose for which the information was collected. Personal information should not be retained for a period longer than is reasonably necessary to provide the services requested or in accordance with a written retention policy or as required by law. Destruction of personal information must occur in a secure manner, including but not limited to, shredding, pulverization, incineration or erasure.

What if personal information is disclosed to a nonaffiliated third party?

If any person, state agency or municipal agency discloses personal information about a Rhode Island resident to a nonaffiliated third party, it must require by written contract that the third party implement appropriate security procedures.

What notice must be given in the event of a breach?

The 2015 Act clarifies the timing and scope of the notification requirements that must occur upon any disclosure of personal information or breach of a security system that poses a significant risk of identity theft to a Rhode Island resident. Like the current law, the 2015 Act requires that the notice must be provided in the “most expedient time possible,” but the new law states expressly that the notice must occur no later than forty-five days after the confirmation of the breach and the ability to ascertain the information to issue the notice. Notice must be provided to any Rhode Island resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity.

The notice must include the following six elements to the extent known: (1) a description of the incident, how the breach occurred and the number of affected individuals; (2) the type of information that was breached; (3) the date or range of dates of the breach; (4) the date that the breach was discovered; (5) a clear and concise description of remediation services to be offered with contact information; and (6) a clear and concise description of a consumer’s right to file or obtain a police report, how to request a credit freeze and the fees that may be required to be paid to the consumer reporting agencies.

If more than 500 Rhode Island residents must receive a notice of breach, the entity must likewise notify the attorney general and major credit reporting agencies. Notice to Rhode Island residents may be delayed if federal, state or local law enforcement determines that its issuance would impede a criminal investigation, but it must issue promptly once that risk has subsided.

The 2015 Act broadens provisions deeming an entity to be compliant with the notification requirements if it maintains its own similar security breach measures or complies with comparable requirements imposed under federal laws. For example, a financial institution subject to and examined for compliance with the Federal Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice shall be deemed to be in compliance with the 2015 Act. Likewise, a health care provider, health care service plan, health insurer or other covered entity governed by the medical privacy rules issued by the Federal Department of Health and Human Services established pursuant to HIPAA shall be deemed in compliance with the Rhode Island law.

What are the penalties for violations?

The 2015 Act imposes civil penalties for each violation of up to $100 or $200 per record depending whether it was reckless or knowing and willful. Unlike the current law, which contains a $25,000 maximum aggregate amount for penalties, the 2015 Act does not have any cap on the total amount of imposed penalties. The attorney general may bring an action in the name of the state and on behalf of the public to address any violation.

What are your next steps?

Careful attention should be given to the implementation of a risk-based information security program that is compliant with the 2015 Act, consistent with the nature of the maintained personal information and fully achievable within your entity’s operations. All levels of your entity, including board members and senior managerial officials, should be proactively involved in the strategic development of the security program. We are available to assist as you evaluate your data security protocols and ensure your compliance with the 2015 Act.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top