In the absence of action by the U.S. Congress to pass a national data breach notification law, many states stepped into the breach to update their laws this year to add more specific notice guidelines, a requirement to notify the state’s attorney general or another state official, and to require entities that maintain personal information to implement risk-based data security standards. Rhode Island has now joined that group.
On June 26, Rhode Island Governor Gina Raimondo signed Senate Bill 0134, the Rhode Island Identity Theft Protection Act of 2015 (the “2015 Act”), which substantially updates to the 2005 Identity Theft Protection Act in several key areas and takes effect in one year.
First, the 2015 Act requires entities that experience a data breach “which poses a risk of identity theft to any resident of Rhode Island” to notify affected individuals within 45 calendar days after discovery of the breach. When the 2015 Act becomes effective, Rhode Island will be one of the states with the shortest statutory deadline for providing notification. Florida still has the shortest statutory deadline for notification at thirty days, but Florida’s deadline can be extended by 15 days in certain circumstances.
In addition, the 2015 Act notification to the attorney general following a data breach, but only if the breach affects more than 500 Rhode Islanders.
The 2015 Act will also require entities that handle personal data to implement reasonable security practices and procedures and put in place document retention and destruction policies.