Rhode Island Breach Notice Changes Coming in 2016

Effective June 26, 2016, the Rhode Island breach notification law will require notice “in the most expedient time possible but not later than forty-five (45) calendar days after confirmation of the breach…” In the event that more than 500 Rhode Island residents are to be notified, companies must also notify the Rhode Island attorney general and the major credit reporting agencies.

Joining a growing number of states, the definition of “personal information” now includes e-mail addresses and passwords that permit access to a personal account. The definition of “personal information” was further expanded to include medical and health insurance information, and the definition of “breach” was broadened to include unauthorized access or acquisition of computerized data, whereas before only “acquisition” of computerized data triggered notification requirements.

The amendments also require companies that store, collect, process, use, or license personal information about a Rhode Island resident to implement and maintain a risk-based information security program. In addition, a company that discloses personal information about a Rhode Island resident to a nonaffiliated third party must also require by written contract that the third party implement and maintain reasonable security procedures and practices. 

TIP: Companies that maintain statewide breach notice plans should ensure that they keep track of this amendment, which goes into effect mid-2016. It joins many other changes to breach notice laws that we have reported on throughout the year.