If you live, work, or own a business or organization that has dealings with Rhode Island residents, then it is important that you are aware of the changes that go into effect on June 26, 2016, thanks to the state’s new Rhode Island Identity Theft Protection Act. This act replaces the regulations and guidelines currently in effect and will cover any business, organization, or government entity or individual that does anything that involves the collection and storage of personal information about any Rhode Island residents.
What are the Most Important Changes?
One of the most important changes to the law is that businesses, organizations, or individuals must use some type of risk-based information security program. This should include security practices that are appropriate to the scale of the organization and the information stored, as well as the purpose behind the collection of the information. Ultimately, the best measures need to be in place to prevent any unauthorized access to the data. The new law also states that any personal information should not be retained any longer than necessary to reasonably provide the services. Any data destroyed should be done so in a secure manner, such as shredding, pulverizing, or incinerating.
In addition to changes to the storage, collection, and destruction of personal data, the law also changes the notification requirements for the instance of any breach of security. It must happen in the “most expedient time possible,” and this must be no later than 45 days after the breach has been confirmed. There is one exception: any financial institutions, credit unions, or trust companies that are subject to the Federal Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice that are found to be in compliant with it after examination will also be found compliant with the new law.
What Steps Should Be Taken for Compliance?
One of the first actions you should take if you have any dealings with Rhode Island residents is to determine what, if any, personal information you collect and store. It is also important to recognize the purpose behind it, as well as who has access to the data. If there is any information that is not required for you to conduct your business, then it may be time to properly destroy the data. A complete audit of your processes will help you determine if you are currently complaint, and if you are not, what areas need to be adjusted. You may find it beneficial to create a written document with your policies and procedures to help you in the process.
It is also important to review your information to see if any of this information is shared with other parties, such as your vendors or service providers, according to JDSupra Business Advisor. If this is the case, then it is important that you review the contracts and make any adjustments to ensure that sufficient security measures are in place.
Should Rhode Island Residents Care About the New Law?
Residents of Rhode Island should also be aware of the changes taking place and ensure that companies that collect and store any of your data make the necessary changes to be complaint with the new law, including having a strong security system in place and properly destroying the data once it is no longer necessary. The new law is in place to protect your data to reduce your risk of falling victim to identity theft. You may find it beneficial to know the new guidelines to help you ensure your data remains safe.