On June 26, 2016, Rhode Island’s Identity Theft Protection Act of 2015 went into effect, repealing and replacing the state’s 2005 breach notification law.

In the decade since Rhode Island enacted its original breach notification law, the use of electronic data has grown exponentially – as has the complexity of data breach regulation. By enacting an entirely new law, Rhode Island legislators were able to implement sweeping changes.

Rhode Island’s Identity Theft Protection Act of 2015 Signing

Pictured left to right: State Police Lt. Col. Todd Catlow; Sen. Cynthia A. Coyne; Attorney General Peter Kilmartin; Governor Gina Raimondo; Jim Ludes, Executive Director of the Pell Center; Rep. Stephen R. Ucci; Sen. Louis P. DiPalma; Rep. Aaron Regunberg. Photo courtesy of State of Rhode Island General Assembly.

“We live in a world where so much, if not all, of our personal information floats around in cyberspace, often with completely inadequate protections,” said Senator Louis P. DiPalma in a statement when the law was passed. “The intent of this legislation is to set standards and to protect that vital information from those who wish to do harm or profit from the most personal details of our lives.”

More About Rhode Island’s Identity Theft Protection Act of 2015

Highlights include:

  • Increased specificity in the notification timeline for affected individuals, from “most expedient” to “no later than 45 calendar days after confirmation of the breach.”
  • Expanded scope of regulated data to include medical information, health insurance information, tribal identification numbers, and email addresses along with any required security code, access code, or password.
  • A new requirement to notify the state attorney general and major credit reporting agencies if more than 500 Rhode Island residents are to be notified.
  • Specified requirements for what content must be included in a notification to affected individuals.
  • Expanded coverage to include paper incidents.

Additional reading:

In 2016, we’ve seen an overall trend in data breach law toward increased stringency and growing complexity in breach notification obligations. Rhode Island’s new Identity Theft Protection Act encompasses all of the trends we’ve featured so far in our 2016 legal trend blog series: significant expansion of the scope of personal information, increased specificity in notification timelines, and increased requirements for notification contents.

What this means for privacy and security teams

If you store, own, collect, process, maintain, acquire, use, or license data that includes personal information of Rhode Island residents, your breach notification obligations have changed significantly.

If you’re a RADAR customer, the RADAR regulatory team continuously tracks changes in data breach notification laws across all jurisdictions – proposed, passed, and now in effect. This means you can expect to see changes applied in RADAR the same date the law goes into effect.