HARTFORD, Conn., and PROVIDENCE, R.I. (7/15/15)--With ardent credit union support, two state governors recently signed into law bills that will require merchants or any breached entity to warn affected individuals that the organization’s systems have been hacked and that personal data has been compromised.
In Rhode Island, Gov. Gina Raimondo ratified the Rhode Island Identity Theft Protection Act of 2015, which entirely repeals existing identity theft protection provisions and replaces them with expanded regulation (Daily CU Scan July 13).
Among other measures, the act requires breached entities to notify Rhode Island residents who have had information stolen as a result of an incident within 45 days after confirmation of the breach.
If more than 500 residents have been affected, the entity must notify the state’s attorney general. Failure to comply will result in up to $100 or $200 fines per record.
The law also requires organizations to install and maintain a risk-based information security program that incorporates security procedures and practices consistent with both the size and scope of the organization, and the nature of the information in its possession.
Similarly, Connecticut Gov. Dannel Malloy July 1 signed legislation that requires breached organizations to alert affected individuals within 90 days, unless federal law requires a shorter response time (Weekly Update July 7).
Notice is required when the following information is compromised:
Additionally, the new law mandates that the breached organization must offer affected individuals at least one year of free identity theft prevention and monitoring services. The organization also must tell affected individuals how to enroll in the services and how to place a freeze on a credit file.
In California, meanwhile, AB 83, which would require retailers to identify internal and external risks to their data security systems, recently passed out of the Senate Judiciary Committee on a 5-1 vote and is now scheduled to be voted on by the entire Senate, according to the California and Nevada Credit Union Leagues.
This year has seen regular activity at the state level related to breach notification law, with the following action already taken: