Nearly two months after state officials disclosed a colossal breach of Rhode Island’s public benefits portal and health insurance marketplace, a state rep is trying to strengthen laws surrounding data leaks of people’s private information.
“We need to do something for data breaches. It’s just getting ridiculous,” Rep. Robert Phillips, a Woonsocket Democrat, said Tuesday during a meeting of the Rhode Island House Committee on Innovation, Internet and Technology.
Phillips was testifying on his bill H5301, which would amend the Identity Theft Protection Act Of 2015. The Identity Protection Act regulates how state agencies, or other entities that hold onto people’s personal information are supposed to respond in the event of a data breach. The most recent example is the December 2024 RIBridges breach which is believed to have exposed the personal information of over 650,000 Rhode Islanders.
Under the current law, data breaches that affect 500 or more people require the impacted agency to notify the Rhode Island Attorney General. Phillips’ bill would eliminate that threshold and require all breaches to be reported to both the Attorney General and the Department of Business Regulations (DBR). It would also make “any agency, entity, or any other person that maintains or stores but does not own or license, data,” subject to notification requirements. That could include entities like Deloitte, the system vendor and architect for RIBridges.
The General Assembly last updated the data breach laws in 2023, the same year the Rhode Island Public Transit Authority (RIPTA) found itself embroiled in a legal battle over a 2021 employee data breach. The legislature decided to create different notification periods for businesses versus government agencies.
Lenette Forry-Menard, a lobbyist and attorney with Champion Advocacy Associates, testified on behalf of the Northern Rhode Island Chamber of Commerce. During the 2023 update of the law, legislators decided that public entities had to notify the attorney general of a breach in 30 days, down from 45 days. The notification window for businesses stayed at 45 days.
The lobbyist said Phillips’ bill is “unclear” as to whether businesses would still be subject to the 45-day limit to notify state authorities, or if the notification timespan would be shorter. Forry-Menard argued changing the language surrounding a breach’s severity of risk might be problematic, as it could make it tricky for businesses to determine what needs to be reported to the state.
Forry-Menard gave an example: “I’m a remote worker, so I have my computer at home. I’m working on it. I may get up and go to the restroom, and my husband, who’s around sometimes, may walk through the office. Technically, under the letter of the law, if you take out the language that’s there right now about the significant risk, I should have to notify the attorney general, or under this bill, DBR, that I may have been breached. I don’t think anybody wants that.”
Director of the Department of Administration Jonathan Womer also submitted written testimony on the bill.
“The Department has a great appreciation for the importance of this statute, particularly in light of the recent RIBridges data breach, but would like to raise a few operational concerns with the proposed amendments,” Womer wrote.
The director took issue with the proposal’s prescription that a breach victim “‘cooperate with the owner or licensor’ of compromised information…There is no definition of ‘cooperate,’ which makes this requirement ambiguous and open-ended,” Womer wrote. “This requirement will likely generate unnecessary confusion for impacted individuals about what they are entitled to from an entity that holds their data.”
As written, the bill could also create an administrative burden and delay the existing notification process, Womer wrote.
Phillips’ bill was held for further study, as is standard on a piece of legislation’s first introduction. He told the committee he was willing to edit the bill and incorporate feedback from stakeholders.
This article was originally published by the Rhode Island Current.
