Breach Notification Laws in Rhode Island Updated

A number of states have revised their laws covering data breaches and security incidents in recent months; now breach notification laws in Rhode Island have been updated.

The revised breach notification laws in Rhode Island include one of the shortest breach notification periods anywhere in the country, requiring data breaches involving more than 500 individuals to be reported to the Attorney General within 45 days of discovery. Only Florida data breach laws are tougher in this respect.

There was seen to be a need for breach notification laws in Rhode Island to be updated, as the risk of attack from malicious outsiders had reached critical levels. State residents were seen to need greater protections to help them avoid suffering identity theft or losses from other crimes stemming from the theft of protected data.

Rhode Island Data Breach Laws Updated

The new breach notification laws in Rhode Island have been introduced as part of the Rhode Island Identity Theft Protection Act (2015). Senate Bill S0134 has now received the signature of State Governor, Gina Raimondo, and will come into effect on June 26, 2016.

From that date, any person, organization, or business that elects to do business in the state will have to abide by the new laws, if that individual or entity “stores, collects, processes, maintains, acquires, uses, owns or licenses personal information about a Rhode Island resident.”

“A risk-based information security program” must also be devised and put into place “in order to protect the personal information from unauthorized access, use, modification, destruction or disclosure.”

As with the Health Insurance Portability and Accountability Act (HIPAA) and other state data breach laws; the exact measures that must be put in place to protect data have not been stipulated. Each individual or business must assess the risk of data exposure and must put protections in place appropriate to the level or risk.

HIPAA Rules require Business Associate Agreements to be issued to any contractor required to come into contact with protected data. Rhode Island has also included this provision in the Identity Theft Protection Act and a contract, or Business Associate Agreement, must be issued to a contractor and a signed copy obtained before any data can be transferred, accessed, viewed or used. According to the new Act, the contract must state that the contractor “maintain reasonable security procedures and practices to protect any data supplied,”

Data must not be held indefinitely, and should only be stored for as long as required to achieve its purpose. When data is no longer required it must be permanently destroyed.

Financial Penalties will be Issued for Non-Compliance with Breach Notification Laws in Rhode Island

Individuals and companies must be able to demonstrate “reasonable security procedures and practices” have been put in place to protect data. Failure to do this, or an inability to prove it, will result in action being taken by the state attorney general. Financial penalties can also be issued to those persons failing to implement the appropriate controls to protect data and notify individuals in the event of a data breach.

A fine of $100 per exposed record is applicable in cases where violations have occurred without the knowledge of the person or company concerned, with the fine rising to $200 per record in cases of willful neglect of Rhode Island breach notification laws (or any other aspect of the Rhode Island Identity Theft Protection Act.)

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of