New Rhode Island Law Protects Victims of Businesses’ Data Breaches in 2016

Published
01/27/2016

Cyber data breaches affect individuals, businesses, and the government. Tens of millions of Americans are affected by data breaches every year. In 2014, CNN estimated that 47% of U.S. adults in the U.S. had their personal information stolen by hackers in the last twelve months. In the 2013 Target data breach alone, 70 million customers’ personal information was compromised. Data hacks expose consumers to the possibility of costly identity theft and credit card fraud.

The astronomical costs associated with data breaches affect the business involved as well. Currently, the average total cost of a data breach to companies worldwide is $3.79 million per breach, with the most expensive data breach costing approximately $31 million. That number does not include the amount of money companies have spent on public relations campaigns to handle negative publicity and rehabilitate their image, nor does it factor in the expensive legal fees incurred in defending the resulting litigation. To put it simply, data breaches are costly to everyone involved. Nonetheless, at the federal level, there is no single national data breach notification law governing all personal information.

To ensure that Rhode Islanders are adequately protected, the Rhode Island General Assembly has recently enacted legislation addressing data breaches. The Identity Theft Protection Act of 2015 (the “2015 Act”), which will go into effect in June 2016, repeals and replaces a 2005 breach notification law and contains a number of key provisions. The 2015 Act clarifies uncertainties that have resulted from prior identity theft laws and expands the protections afforded to Rhode Island residents, including imposing specific notification requirements on companies in the event of the breach.

Under the 2015 Act, persons (including individuals and businesses), municipal agencies, and state agencies must protect the personal information of Rhode Island residents that they store, collect, process, maintain, acquire, use, own or license. A resident’s “personal information” is defined broadly and includes: social security number; driver license number; account number, credit or debit card numbers, with any required code or password that would permit access to an individual’s financial account; medical and health insurance information; and email addresses with any required code or password that would permit access to an individual’s personal, medical, insurance or financial account. The 2015 Act also expands protection to paper records and unencrypted electronic information.

The 2015 Act requires that the listed entities handling residents’ personal information must implement a “risk-based information security program which contains reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information and the purpose for which the information was collected.” Personal information must be destroyed in a secure manner and should not be retained for any longer than necessary or the period of time required by law.

In the event of the disclosure of personal information or a breach of a security system posing a significant risk of identity theft to a Rhode Island resident, notice must be provided to those residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity. The 2015 Act requires that notice be provided in the “most expedient time possible,” but no later than 45 days after the confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements. If more than 500 Rhode Island residents must receive a notice of breach, then the attorney general and major credit reporting agencies must be notified as well.

The 2015 Act also imposes civil penalties for violations of up to $100 or $200 per record, depending on whether the disclosure or breach was reckless or knowing and willful. However, unlike the previous legislation, the 2015 Act does not cap the total amount of penalties.

If you are a Rhode Island business or business storing the information of Rhode Island residents, you should take steps to assure that your security protocols are in compliance with the 2015 Act before it becomes effective in June 2016.