Not a Member? Get access to HR news and resources that you can trust.
Sustainable design practices lead to happy employees—and healthy businesses.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Set yourself up for success with virtual SHRM-CP/SHRM-SCP Certification Prep Seminars.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Last year, Rhode Island Gov. Gina M. Raimondo signed the Rhode Island Identity Theft Protection Act of 2015, enacting significant amendments to the state’s existing law. The act set a one-year transition period with its new provisions taking effect on July 2, 2016. With the deadline approaching, we provide this update regarding important steps to ensure your compliance with the act.
The act applies to any business, state or municipal agency, or individual, who or that “stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident.” The act has no exemptions based upon an entity’s size or number of employees.
Inventory Personal Information
A starting point should be a detailed data mapping review, identifying what personal information of Rhode Island residents is in your possession, with a careful understanding of how and why such personal information is collected, processed and stored and by whom. Personal information should be retained only for as long as reasonably necessary for a business purpose or as required under law.
The act expands the scope of covered personal information to include medical or health insurance information. As amended, personal information means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and the data elements are unencrypted or in hard copy paper format:
Implement a Risk-Based Information Security Program
The act requires a “risk-based information security program” to ensure the proper collection, processing, retention and destruction of personal information. The act recognizes that one size does not fit all entities. Rather, the act calls for “reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected.” This risk-based information security program is similar to Massachusetts’ Written Information Security Program and Connecticut’s Comprehensive Information Security Program.
A security program’s effectiveness depends upon its concise messaging, especially because an organization’s excessive or unclear policy proliferation runs the risk of employee confusion or indifference. The program should be devised, implemented and enforced focusing upon key and interrelated perspectives: legal compliance, operational costs and reputational risks. An organization’s business sector may prescribe specific data security and privacy obligations, so careful analysis must determine all applicable federal and state laws and identify the regulators with oversight and enforcement authority.
As part of its strategic operational planning, an organization should be cognizant of the likely costs of a breach, not only in terms of out-of-pocket losses but also potential business interruption impacts. Further, the security program must promote consumer or constituent confidence by fulfilling its representations regarding the safeguarding and proper use of personal information.
Assess Vendors’ Security Controls
An organization’s risk-based security program is only as strong as the weakest link in its information supply chain. Under the act, an organization that discloses personal information to a nonaffiliated third party must require by written contract that the third party implement and maintain reasonable security protocols. If a third party is unable or unwilling to meet such obligations, the organization should look elsewhere rather than putting itself at risk. An organization should evaluate each vendor’s security protocols as early as the procurement process. Vendor contracts should specify clearly the nature of shared data and expected security controls.
Be Prepared to Notify
The act follows the existing requirement of notification “in the most expedient time possible” upon any disclosure of personal information or any breach of a security system that poses a significant risk of identity theft to a Rhode Island resident. The new law imposes a deadline of no later than 45 calendar days after the confirmation of the breach and ability to ascertain the information to issue the notice, which is one of the shortest periods among the 47 state data breach notification laws nationally. In fact, legislation is currently pending in the Rhode Island General Assembly (House Bill 7707) to limit this deadline to 14 calendar days. To ensure timely notification, all employees must understand their obligation to alert an authorized supervisor promptly of an unauthorized disclosure or a breach.
Compliance with the act is not a single event, and organizations must not remain static in their data security programs. Continual and critical assessments minimize the potential of data security controls getting compromised or becoming obsolete, especially in the face of evolving threats. An organization’s senior leadership must participate actively in the recognition of and response to internal and external data security risks. Cross-functional teams among key personnel should have clearly defined and evaluated roles, which will promote consistency within the organization’s data collection, storage, processing and destruction protocols. An organization’s carefully crafted and appropriately updated risk-based information security program will enhance its protection of entrusted personal information of Rhode Island residents, as well as minimize the impacts of any business interruptions and allow for prompt notifications in the event of a breach.
Steven M. Richard is an attorney with Nixon Peabody in Providence, R.I. Kate A.F. Martinez is an attorney with Nixon Peabody in Rochester, N.Y. © Nixon Peabody. All Rights Reserved. Reposted with permission.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 3,200 companies