Rhode Island Identity Theft Protection Act of 2016 (Data Breach)
R.I. Gen. Laws § 11-49.3-1, et seq.
SUMMARY:
EFFECTIVE. March 1, 2006
WHO DOES THIS LAW APPLY TO. (1) Any person, business or State agency that owns or licenses computerized data that includes Personal Information; and (2) any person, business or State agency that maintains unencrypted data that includes Personal Information.
WHAT IS A BREACH. Unauthorized acquisition of unencrypted computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by a person, business, or State agency. Good faith acquisition of Personal Information by an employee or agent for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or data element is not encrypted:
-
Social Security Number.
-
Driver’s license number or Rhode Island identification card number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the residents affected if the breach poses a significant risk of identity theft, or if the Personal Information was or is reasonably believed to have been acquired by an unauthorized person.
EXCEPTION. This Section does not apply to the following:
-
No notification is required if the person, business or a State agency, after a reasonable investigation or consultation with relevant Federal, State or local law enforcement agencies, determines that the breach will not likely result in a significant risk of identity theft to the individuals involved.
-
A person, business or State agency which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected individuals are notified by the person, business or State agency in accordance with its policies.
-
A person, business or State agency that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section, if the affected individuals are notified in accordance with such policies.
-
A financial institution, trust company, credit union or affiliate that is subject to and complies with the Federal Interagency Guidelines on Response Programs for Unauthorized Access to Consumer Information and Customer Notice, is considered in compliance with this Section.
-
A health care provider, service plan, insurer or covered entity governed by the medial privacy and security rules issued by the Federal Department of Health and Human Services, is considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person, business or State agency discovers or is notified of aware of a security breach. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation. In that instance, notification will be made immediately after clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if it is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person, business or State agency can demonstrate that the cost of providing notice will exceed $25,000, the affected class of persons to be notified exceeds 50,000, or the person, business or State agency has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person, business, or State agency has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person, business, or State agency if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. Any person, business or State agency that maintains unencrypted data that includes Personal Information that it does not own, shall immediately notify the owner or licensee of the security breach following discovery. The person, business or State agency that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Any person, business or State agency which violates this Section may be assessed a penalty of up to $100 per occurrence, not to exceed $25,000.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. R.I. Gen. Laws § 6-52-1, et seq. A business shall take reasonable steps to destroy or arrange for the destruction of a customer's personal information within its custody and control that is no longer to be retained by the business by shredding, erasing, or otherwise destroying and/or modifying the personal information in those records to make it unreadable or indecipherable through any
LEGISLATIVE UPDATES.
H.B. 6191 – Signed into law on 7/10/2005, Effective 3/1/2006.
S.B. 0134 – enacted 6/26/2015, Effective 6/26/2016.
For more information, see here: http://webserver.rilegislature.gov//Statutes/TITLE11/11-49.3/INDEX.htm
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.