As of July 2, 2016, the Rhode Island Identity Theft Protection Act of 2015 (the “Act”) is in effect. The Act is of great significance to Rhode Island law firms because it requires any “municipal agency, state agency, or person. . . that stores, collects, processes, maintains, acquires, uses, owns or licenses personal information about a Rhode Island resident [to] implement and maintain a risk-based information security program.” The definition of a “person” under the Act includes business organizations such as law firms.
Rhode Island is one of the states at the forefront of identity theft protection. In 2005, Rhode Island enacted an Identity Theft Protection Act to address the “growing concern regarding the possible theft of individuals’ identity and a resulting need for measures to protect the privacy of personal information.” Rhode Island, like many other states, has adopted second-generation identity theft and breach notification laws. All entities defined under the Act are required to develop or update “reasonable security procedures and practices appropriate to the size and scope of the organization.” The goal is to prevent the “unauthorized access, use, modification, destruction, or disclosure [of personal information] and to preserve the confidentiality, integrity and availability of such information.”
As the 2013 Target data breach illustrated, beware of nonaffiliated third-parties. During the investigation of the Target security breach, it was learned that the source of the breach was a heating, ventilation and air-conditioning company, which was a nonaffiliated third-party vendor of Target. This data breach resulted in approximately 100 million Target shoppers personal information being compromised. Personal information includes social security numbers, driver’s license numbers, account numbers, credit and debit card numbers, medical and health insurance information, and email addresses.
If a breach occurs the entity that is breached is required to provide a description of the incident, the type of information that was subject to the breach, the estimated date of the breach, the date the breach was discovered, and the remediation services offered to affected individuals.
The penalties for a violation of the Act are civil in nature. A reckless violation can result in a $100.00 per record fine. A knowing and willful violation can result in a $200.00 per record fine. While the penalties of $100.00 to $200.00 per record may seem insignificant, once multiplied by the thousands of records a business may contain the penalty can be substantial.
It is prudent that all businesses including, law firms, consider purchasing data breach protection insurance. The business entity should have written procedures regarding the retention and destruction of customer’s personal information. Finally, all businesses should have a comprehensive plan of action if they suffer a data breach. Cyber-criminals are ingenious and it is imperative that businesses, including law firms, stay one step ahead. For more information on the Act, please see, Rhode Island Identity Theft Protection Act of 2015, Rhode Island Bar Journal, July/August 2016, Robert H. Humphrey, Esq.