May 18, 2016
Author(s): Steven M. Richard
Last year, Rhode Island Governor Gina M. Raimondo signed the Rhode Island Identity Theft Protection Act of 2015 (“Act”), enacting significant amendments to the state’s existing law. The Act set a one-year transition period with its new provisions taking effect on July 2, 2016. We previously issued an alert analyzing the Act. With the deadline approaching, we provide this update regarding important steps to ensure your compliance with the Act.
The Act applies to any business, state or municipal agency, or individual, who or that “stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident.” The Act has no exemptions based upon an entity’s size or number of employees.
A starting point should be a detailed data mapping review, identifying what personal information of Rhode Island residents is in your possession, with a careful understanding of how and why such personal information is collected, processed and stored and by whom. Personal information should be retained only for as long as reasonably necessary for a business purpose or as required under law.
The Act expands the scope of covered personal information to include medical or health insurance information. As amended, personal information means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and the data elements are unencrypted or in hard copy paper format: (i) social security number; (ii) driver’s license number, Rhode Island identification card number, or tribal information number; (iii) account number, credit, or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an individual’s financial account; (iv) medical or health insurance information; or (v) e-mail address with any required security code, access code, or password that would permit access an individual’s personal, medical, insurance, or financial account.
The Act requires a “risk-based information security program” to ensure the proper collection, processing, retention and destruction of personal information. The Act recognizes that one size does not fit all entities. Rather, the Act calls for “reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected.” This risk-based information security program is similar to Massachusetts’ Written Information Security Program and Connecticut’s Comprehensive Information Security Program.
A security program’s effectiveness depends upon its concise messaging, especially because an organization’s excessive or unclear policy proliferation runs the risk of employee confusion or indifference. The program should be devised, implemented and enforced focusing upon key and interrelated perspectives: legal compliance, operational costs, and reputational risks. An organization’s business sector may prescribe specific data security and privacy obligations, so careful analysis must determine all applicable federal and state laws and identify the regulators with oversight and enforcement authority. As part of its strategic operational planning, an organization should be cognizant of the likely costs of a breach, not only in terms of out-of-pocket losses but also potential business interruption impacts. Further, the security program must promote consumer or constituent confidence by fulfilling its representations regarding the safeguarding and proper use of personal information.
An organization’s risk-based security program is only as strong as the weakest link in its information supply chain. Under the Act, an organization that discloses personal information to a non-affiliated third party must require by written contract that the third party implement and maintain reasonable security protocols. If a third party is unable or unwilling to meet such obligations, the organization should look elsewhere rather than putting itself at risk. An organization should evaluate each vendor’s security protocols as early as the procurement process. Vendor contracts should specify clearly the nature of shared data and expected security controls.
The Act follows the existing requirement of notification “in the most expedient time possible” upon any disclosure of personal information or any breach of a security system that poses a significant risk of identity theft to a Rhode Island resident. The new law imposes a deadline of no later than forty-five calendar days after the confirmation of the breach and ability to ascertain the information to issue the notice, which is one of the shortest periods among the forty-seven state data breach notification laws nationally. In fact, legislation is currently pending in the Rhode Island General Assembly (House Bill 7707) to limit this deadline to fourteen calendar days. To ensure timely notification, all employees must understand their obligation to alert an authorized supervisor promptly of an unauthorized disclosure or a breach.
Compliance with the Act is not a single event, and organizations must not remain static in their data security programs. Continual and critical assessments minimize the potential of data security controls getting compromised or becoming obsolete, especially in the face of evolving threats. An organization’s senior leadership must participate actively in the recognition of and response to internal and external data security risks. Cross-functional teams among key personnel should have clearly defined and evaluated roles, which will promote consistency within the organization’s data collection, storage, processing and destruction protocols. An organization’s carefully crafted and appropriately updated risk-based information security program will enhance its protection of entrusted personal information of Rhode Island residents, as well as minimize the impacts of any business interruptions and allow for prompt notifications in the event of a breach.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.