by Timothy C. Cavazza and Matthew H. Parker
The Rhode Island Identity Theft Protection Act of 2015 will take full effect on July 2, meaning employers need to have their data security and notification policies in compliance or face serious financial consequences if even one data breach occurs.
The new law applies to employers and municipal agencies. It requires that any person or entity in Rhode Island that stores, collects, processes, maintains, acquires, uses, owns, or licenses “personal information” about a Rhode Island resident to “implement and maintain a risk-based information security program [that] contains reasonable security procedures and practices appropriate [for] the size and scope of [the] organization, the nature of the information[,] and the purpose for which the information was collected.”
The program’s purpose must be twofold: (1) “to protect the personal information from unauthorized access, use, modification, destruction or disclosure” and (2) “to preserve the confidentiality, integrity, and availability of such information.”
Covered entities must ensure that “personal information” is not retained for a period longer than is reasonably required to provide the services requested and satisfy the purpose for which the information was collected in accordance with a written document-retention policy or as required by law. Also, covered entities must ensure they destroy personal information in a secure manner (e.g., by shredding, pulverizing, incinerating, or erasing).
“Personal information” includes an individual’s first name or initial and last name in combination with any of the following data elements when the name and data elements are not encrypted or are stored in hard-copy format:
- Social Security number;
- Driver’s license number, Rhode Island identification card number, or tribal identification number;
- Account, credit card, or debit card number in combination with a required security code, access code, password, or personal identification number that would permit access to an individual’s financial accounts;
- Medical or health insurance information; or
- E-mail address with a required security code, access code, or password that would grant access to an individual’s personal, medical, insurance, or financial accounts.
The law also imposes a duty to notify affected Rhode Island residents in the event of a security breach or unauthorized disclosure. Notification must be provided “in the most expedient time possible” and not more than 45 days after confirmation of a breach. Notification must be provided to the Rhode Island attorney general when a security breach affects more than 500 Rhode Island residents.
For more information on the Rhode Island data security law, see the May issue of Rhode Island Employment Law Letter.
Timothy C. Cavazza and Matthew H. Parker are attorneys with Whelan, Corrente, Kinder & Siket LLP in Providence, Rhode Island. Cavazza can be reached at firstname.lastname@example.org, and Parker can be reached at email@example.com.