Skip to content

menu

Open Legal Blog Archive logo
HomeAboutBlogsFAQsSubmit

Rhode Island Governor signs new comprehensive Identity Theft Protection Act

By Linn Foster Freedman on July 2, 2015

On June 26, 2015, Rhode Island Governor Gina Raimondo signed Senate Bill S0134, the Rhode Island Identity Theft Protection Act of 2015, which substantially revises the old law, including breach notification.

Specifically, the new law requires municipal agencies, state agencies and any “person” that “stores, collects, processes, maintains, acquires, uses, owns or licenses personal information about a Rhode Island resident” to implement “a risk-based information security program” which “contains reasonable security procedures and practices…in order to protect the personal information from unauthorized access, use, modification, destruction or disclosure…”

The law further requires agencies and businesses to implement a written document retention policy and not retain personal information longer than is necessary for the purpose for which it was collected and destroying the information in a secure manner including shredding, pulverization, incineration or erasure.

In addition, all agencies and businesses that disclose personal information of Rhode Island residents to a third party must have a written contract in place with the third party ensuring that the third party has implemented and maintains reasonable security procedures and practices to protect the information.

If an agency or business suffers a data breach, the agency or business must notify individuals of the breach within forty-five (45) days of confirmation of the breach. This is one of the shortest periods of time in national data breach laws. Further, if the breach affects more than 500 individuals, the agency or business must notify the Attorney General, which is also a new provision.

Following Massachusetts, the law sets forth the specific requirements of the notification letter, including that the individual is entitled to file a police report and how to obtain a credit freeze.

Penalties for violation of the Act include a civil suit by the Attorney General and $100 per record for reckless violation of the Act and $200 for knowing or willful violation.

The Act becomes effective on June 26, 2016.

 

  • Posted in:
    Intellectual Property
  • Blog:
    Data Privacy + Cybersecurity Insider
  • Organization:
    Robinson & Cole LLP
  • Article: View Original Source

Open Legal Blog Archive, Inc. logo
Seattle, Washington
Copyright © 2026, Open Legal Blog Archive, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo