Identity-theft law stronger

In 2005, Rhode Island enacted an identity-theft protection law, which remained unchanged for the past decade. Over that time, rapidly changing technologies and devious schemes by hackers have posed greater identity-theft risks to Rhode Islanders. Recognizing the need to update our law, the General Assembly passed the Rhode Island Identity Theft Protection Act of 2015, which replaces the 2005 law with enhanced protections for Rhode Islanders. On June 26, Gov. Gina M. Raimondo signed the legislation into law.

While the act will take effect one year following its passage, Rhode Island businesses and governmental bodies should promptly audit and refine their data-security protocols to ensure compliance.

The act applies to individuals, business entities, branches of state government and of municipal government. All must protect the personal information about Rhode Island residents that they store, collect, process, maintain or license.

The act requires implementation and maintenance of a “risk-based, information- security program,” which must contain reasonable security procedures and practices consistent with the size and scope of the organization, the nature of the information, and the purpose for which the information was collected.

- Advertisement -

Personal information should not be retained for a period longer than is reasonably necessary and must be appropriately destroyed. To comply, organizations should implement a written retention policy or update their existing policy.

Also, organizations must remain diligent when disclosing personal information about Rhode Island residents to a nonaffiliated third party, requiring by written contract that the third party likewise implement and maintain appropriate security procedures.

The legislation imposes notification requirements upon a data breach or unauthorized disclosure of personal information that poses a significant risk of identity theft.

The organization should disclose the following six elements to the extent known:

n Description of the incident, how the breach occurred and the number of affected individuals.

n Type of information that was breached.

n Date or range of dates of the breach.

n Date the breach was discovered.

n Clear and concise description of remediation services to be offered with contact information.

n Clear and concise description of a consumer’s right to file or obtain a police report, how to request a credit freeze, and the fees that may be required to be paid to the consumer reporting agencies.

The legislation broadens provisions deeming an organization to be compliant with the notification requirements if it maintains its own similar security-breach measures or complies with breach procedures imposed under comparable federal laws.

If more than 500 Rhode Islanders must receive the required notification, the organization must likewise notify the attorney general and major credit-reporting agencies. Coordination with law enforcement is essential during the notification process.

The legislation imposes civil penalties for each violation of up to $100 or $200 and there is no cap on the total amount of fines that may be imposed. Also, the attorney general may bring an action to address any violation.

This important legislation is a vital step to bring our state’s data-protection laws in step with the ever-expanding realm of digital information and the omnipresent threats to identity theft in cyberspace. •

No posts to display