Prepare for Rhode Island’s New Identity Theft Protection Act

By Steven M. Richard and Kate A.F. Martinez May 27, 2016

Last year, Rhode Island Gov. Gina M. Raimondo signed the Rhode Island Identity Theft Protection Act of 2015, enacting significant amendments to the state’s existing law. The act set a one-year transition period with its new provisions taking effect on July 2, 2016. With the deadline approaching, we provide this update regarding important steps to ensure your compliance with the act.

The act applies to any business, state or municipal agency, or individual, who or that “stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident.” The act has no exemptions based upon an entity’s size or number of employees.

Inventory Personal Information

A starting point should be a detailed data mapping review, identifying what personal information of Rhode Island residents is in your possession, with a careful understanding of how and why such personal information is collected, processed and stored and by whom. Personal information should be retained only for as long as reasonably necessary for a business purpose or as required under law.

The act expands the scope of covered personal information to include medical or health insurance information. As amended, personal information means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and the data elements are unencrypted or in hard copy paper format:

  • Social security number.
  • Driver’s license number, Rhode Island identification card number or tribal information number.
  • Account number, credit or debit card number, in combination with any required security code, access code, password or personal identification number that would permit access to an individual’s financial account.
  • Medical or health insurance information.
  • E-mail address with any required security code, access code or password that would permit access to an individual’s personal, medical, insurance or financial account.

Implement a Risk-Based Information Security Program

The act requires a “risk-based information security program” to ensure the proper collection, processing, retention and destruction of personal information. The act recognizes that one size does not fit all entities. Rather, the act calls for “reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected.” This risk-based information security program is similar to Massachusetts’ Written Information Security Program and Connecticut’s Comprehensive Information Security Program.

A security program’s effectiveness depends upon its concise messaging, especially because an organization’s excessive or unclear policy proliferation runs the risk of employee confusion or indifference. The program should be devised, implemented and enforced focusing upon key and interrelated perspectives: legal compliance, operational costs and reputational risks. An organization’s business sector may prescribe specific data security and privacy obligations, so careful analysis must determine all applicable federal and state laws and identify the regulators with oversight and enforcement authority.

As part of its strategic operational planning, an organization should be cognizant of the likely costs of a breach, not only in terms of out-of-pocket losses but also potential business interruption impacts. Further, the security program must promote consumer or constituent confidence by fulfilling its representations regarding the safeguarding and proper use of personal information.

Assess Vendors’ Security Controls

An organization’s risk-based security program is only as strong as the weakest link in its information supply chain. Under the act, an organization that discloses personal information to a nonaffiliated third party must require by written contract that the third party implement and maintain reasonable security protocols. If a third party is unable or unwilling to meet such obligations, the organization should look elsewhere rather than putting itself at risk. An organization should evaluate each vendor’s security protocols as early as the procurement process. Vendor contracts should specify clearly the nature of shared data and expected security controls.

Be Prepared to Notify

The act follows the existing requirement of notification “in the most expedient time possible” upon any disclosure of personal information or any breach of a security system that poses a significant risk of identity theft to a Rhode Island resident. The new law imposes a deadline of no later than 45 calendar days after the confirmation of the breach and ability to ascertain the information to issue the notice, which is one of the shortest periods among the 47 state data breach notification laws nationally. In fact, legislation is currently pending in the Rhode Island General Assembly (House Bill 7707) to limit this deadline to 14 calendar days. To ensure timely notification, all employees must understand their obligation to alert an authorized supervisor promptly of an unauthorized disclosure or a breach.

Stay Proactive

Compliance with the act is not a single event, and organizations must not remain static in their data security programs. Continual and critical assessments minimize the potential of data security controls getting compromised or becoming obsolete, especially in the face of evolving threats. An organization’s senior leadership must participate actively in the recognition of and response to internal and external data security risks. Cross-functional teams among key personnel should have clearly defined and evaluated roles, which will promote consistency within the organization’s data collection, storage, processing and destruction protocols. An organization’s carefully crafted and appropriately updated risk-based information security program will enhance its protection of entrusted personal information of Rhode Island residents, as well as minimize the impacts of any business interruptions and allow for prompt notifications in the event of a breach.

Steven M. Richard is an attorney with Nixon Peabody in Providence, R.I. Kate A.F. Martinez is an attorney with Nixon Peabody in Rochester, N.Y. © Nixon Peabody. All Rights Reserved. Reposted with permission.

MEMBER BENEFITS

CA Resources at Your Fingertips

View all Resources Now

Job Finder

Find an HR Job Near You

SPONSOR OFFERS

Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect