Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Rhode Island: Act amending data breach notification law enters into effect

On June 27, 2023, Senate Bill No. 5684 an Act relating to Criminal Offenses – Identity Theft Protection Act of 2015 entered into effect following its transmission to the Governor of Rhode Island on June 19, 2023, and its passage by the Rhode Island House Legislature and Rhode Island State Senate. The Act amends the Identity Theft Protection Act of 2015.

Definitions

'Breach of the security of the system' is defined as 'unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information maintained by the municipal agency, state agency, or person. Good-faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system; provided, that the personal information is not used or subject to further unauthorized disclosure.'

'Cybersecurity incident' is defined as ' unauthorized access that could jeopardize the confidentiality, integrity or availability of critical information systems and critical infrastructure systems (i.e., first responder networks, water, energy)'.

Timeframe of notice

The Act notes that any municipal or state agency that detects a cybersecurity incident must provide notification to the Rhode Island state police on the detection of the cybersecurity incident, within 24 hours.

In particular, the Act provides that any municipal agency, state agency, or person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information shall provide notification of any disclosure of personal information, or any breach of the security of the system, that poses a significant risk of identity theft to any resident of Rhode Island whose personal information was or is reasonably believed to have been, acquired by an unauthorized person or entity.

Notification must be made in the most expedient time possible, and for state and municipal agencies no later than 30 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements below.

However, the Act clarifies that where more than 500 Rhode Island residents are to be notified, the municipal agency, state agency, or person shall notify the attorney general (AG) and the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals. Notification to the AG and the major credit reporting agencies must be made without delaying notice to affected Rhode Island residents. Where affected employees are represented by a labor union through a collective bargaining agreement, the employer shall also notify the collective bargaining agent, or designee, of such breaches.

Notably, for persons who are not a state or municipal agency, notice must be provided no later than 45 days after confirmation of the breach and the ability to ascertain the notification requirements below. Where more than 500 Rhode Island residents are to be notified, the person shall notify the AG and the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals. Notification to the AG and the major credit reporting agencies shall be made without delaying notice to affected Rhode Island residents.

Follow up

In addition, the Act provides that state and municipal remediate services to be provided shall include, but are not limited to:

  • a minimum of five years of coverage for individuals 18 years of age and older; and
  • coverage until 18 years of age, and no less than two years of coverage beyond 18 for individuals under 18 years of age.

Notification content

Notification must include, at a minimum:

  • a general and brief description of the incident, including how the cybersecurity incident occurred; and
  • the date of the cybersecurity incident, the estimated date of the cybersecurity incident, or the date range within which the cybersecurity incident occurred.

Enforcement

The Act entered into effect on June 27, 2023.

You can read the Act here.