Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance

Can I avoid having a data breach response plan in Rhode Island? What are the requirements?

October 18, 2023

Data Breach Response Plan Requirements in Rhode Island

Rhode Island Identity Theft Protection Act of 2015 (R.I. Gen Laws § 11-49.3-4) requires a licensee to send a disclosure of a breach of the security of computerized unencrypted data that poses a significant risk of identity theft. The licensee must also send a notice of the breach to the Rhode Island Department of Business Regulation ^[1.1](^[1.1]).

Agencies or persons with security breach procedures are deemed to be in compliance with the security breach notification requirements of § 11-49.3-4 if they maintain their own security breach procedures as part of an information security policy for the treatment of personal information and otherwise comply with the timing requirements of § 11-49.3-4, and notify subject persons in accordance with such municipal agency’s, state agency’s, or person’s notification policies in the event of a breach of security ^[2.2](^[2.2]).

Therefore, if a licensee maintains its own security breach procedures as part of an information security policy for the treatment of personal information and complies with the timing requirements of § 11-49.3-4, it can avoid having a separate data breach response plan in Rhode Island.

However, it is important to note that the Rhode Island Department of Business Regulation must be notified of any breach of the security of computerized unencrypted data that poses a significant risk of identity theft in the most expedient time possible and without unreasonable delay consistent with the disclosure required in the R.I. Gen. Laws § 11-49.3-4 ^[1.1](^[1.1]).

In summary, while a separate data breach response plan may not be required in Rhode Island, it is important for licensees to have security breach procedures in place and to comply with the notification requirements in the event of a breach.

Additional context from ^[2.1](^[2.1]) states that any municipal agency, state agency, or person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information shall provide notification as set forth in this section of any disclosure of personal information, or any breach of the security of the system, that poses a significant risk of identity theft to any resident of Rhode Island whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity. The notification shall be made in the most expedient time possible, but no later than forty-five (45) calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements contained in subsection (d) of this section.

Therefore, it is important for licensees to have a security breach procedure in place that includes notification requirements in the event of a breach.

In conclusion, while a separate data breach response plan may not be required in Rhode Island, it is important for licensees to have security breach procedures in place that include notification requirements in the event of a breach. Failure to comply with the notification requirements may result in liability for a violation ^[2.1](^[2.1]).

Source(s):

[1.1] Notification of Breach of Security System
[2.1] Notification of breach.
[2.2] Agencies or persons with security breach procedures.

Jurisdiction

Rhode Island

Privacy