Rhode Island Identity Theft Protection Act Updates Breach Notification Laws
State Governor, Gina Raimondo, has added her signature to Senate Bill S0134; otherwise known as the Rhode Island Identity Theft Protection Act (2015). Rhode Island follows other states that have already introduced enhanced data protection and breach notification laws this year; neighboring Connecticut being one of the most recent.
The new act has been introduced to improve protections for state residents and a considerable number of changes have been made to existing state laws. The new Act will become enforceable on June 26, 2016.
The new law requires any “person” –individual or organization – that does business in the state of Rhode Island, and “stores, collects, processes, maintains, acquires, uses, owns or licenses personal information about a Rhode Island resident” must ensure that it puts “a risk-based information security program” in place to protect the data held. The Act requires this “in order to protect the personal information from unauthorized access, use, modification, destruction or disclosure.”
The exact protections that must be put in place are not stipulated, although companies must be able to prove that “reasonable security procedures and practices” have been put in place to protect data in the event of an audit.
Change to Breach Notification Period in Rhode Island
In the event of a data breach, any individual, business or agency must issue breach notification letters to the victims within 45 days of discovery of a breach. Under HIPAA Rules, covered entities have up to 60 days and many states are more generous still. However, apart from Florida law which has an even short breach notice period, Rhode Island residents will become among the best protected in the country.
State Attorney Generals Will Fine Violators of State Laws
State attorney generals have been slow to punish organizations for violations of HIPAA, even though they are within their rights to do so, but more state AGs are now taking action for data breaches, and state breach notice laws are being enforced.
When the law comes into effect next year, fines are expected to be issued for any violations discovered. The law allows the state attorney general to take civil action, and fines can be issued for each violation. A penalty of $100 or $200 per record will be issued, depending on whether the violation was reckless or involved willful neglect.
Data Storage Limits and Data Disposal Rules Changed
Other changes introduced with the Act include a requirement to report data breaches involving more than 500 individuals to the state attorney general within the same time frame, and companies are required to implement a time limit on the storage of data to reduce the potential damage caused by a data breach. Records should not be held for longer than necessary, and when personal information is no longer required it must be rendered unreadable and indecipherable.
Business Associate Agreements (Contracts) Must be Used
As with HIPAA, the new Rhode Island Identity Theft Protection Act places restrictions on the individuals that can be supplied with personal information. The new Act stipulates that all persons holding data on state residents must issue written contract (such as a HIPAA Business Associate Agreement or BAA) prior to any personal information being divulged to a third party.
The contract must state the measures that must be put in place to protect any data supplied, and the vendor or contractor must agree to “maintain reasonable security procedures and practices to protect any data supplied,” which extends to ensuring any personal information is permanently destroyed when it is no longer required.