- Medical identity theft is just one potential issue that recent Rhode Island legislation hopes to solve.
Set to go into effect on June 26, 2016, the new Rhode Island Identity Theft Protection Act requires businesses and organizations of all sizes to implement and maintain a risk-based information security program, along with other key provisions.
For example, the Act also requires state businesses to not retain personal information for longer than is reasonably required to provide the services requested. This information must also be destroyed in a secure manner, such as through shredding, pulverizing, incinerating or erasing.
This legislation replaces the current law, and has some similarities, such as data breach notification must be given in the “most expedient time possible.” However, the new Act requires that notice be given within 45 days after confirmation of the breach.
“The notification required by this section may be delayed if a federal, state or local law enforcement agency determines that the notification will impede a criminal investigation,” according to the law. “The federal, state or local law enforcement agency must notify the municipal agency, state agency or person of the request to delay notification without unreasonable delay.”
Another important change to the law was adding medical information, health insurance information, and email addresses to what is considered “personal information.” Should any of that defined data be compromised, then Rhode Island businesses will need to act accordingly.
The law also considers the following data, when paired with an individual's first name or first initial and last name, to be considered personal information:
- Social Security number
- Driver’s license number, Rhode Island identification card number, or tribal identification number
- Account number, credit or debit card number, in combination with any required security code, access code, password or personal identification number that would permit access to an individual's financial account
- Medical or health insurance information
- E-mail address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance or financial account
“We live in a world where so much, if not all, of our personal information floats around in cyberspace, often with completely inadequate protections. This is the reality of our times,” one of the bill’s sponsors, Senator Louis DiPalma, said in a statement when the bill was first passed. “The intent of this legislation is to set standards and to protect that vital information from those who wish to do harm or profit from the most personal details of our lives.”
Fellow sponsor Rep. Stephen R. Ucci agreed, adding that “the standards, definitions and procedures set forth in this legislation will provide the adequate data protections needed for this ever changing digital world.”
Oregon was another state that recently integrated new data security legislation in an effort to better protect sensitive information. The Oregon Consumer Identity Theft Protection Act went into effect on January 1, 2016, and requires businesses and government agencies to notify the state attorney general of a data breach affecting more than 250 state residents.
Furthermore, only unencrypted information is applicable, according to the new law. The compromised information would need to “be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.”
“The notification to the consumer required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and that agency has made a written request that the notification be delayed,” the law states. “The notification required by this section shall be made after that law enforcement agency determines that its disclosure will not compromise the investigation and notifies the person in writing.”