§11-49.3-2. Risk-based information security program.

§11-49.3-2. Risk-based information security program.
Short Title
Official Text §11-49.3-2. Risk-based information security program.
Country/Jurisdiction United States
State or Province Rhode Island
Regulatory Bodies
Date Enacted 1998

Scope of the Law General Business
Information

Taxonomy Insecurity
Strategies


Text of the law

CHAPTER 11-49.3
Identity Theft Protection Act of 2015
SECTION 11-49.3-2
§ 11-49.3-2. Risk-based information security program.
(a) A municipal agency, state agency, or person who or that stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident shall implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure and to preserve the confidentiality, integrity, and availability of such information. A municipal agency, state agency, or person shall not retain personal information for a period longer than is reasonably required to provide the services requested; to meet the purpose for which it was collected; or in accordance with a written retention policy or as may be required by law. A municipal agency, state agency, or person shall destroy all personal information, regardless of the medium that such information is in, in a secure manner, including, but not limited to, shredding, pulverization, incineration, or erasure.
(b) A municipal agency, state agency, or person who or that discloses personal information about a Rhode Island resident to a nonaffiliated third party shall require by written contract that the third party implement and maintain reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure. The provisions of this section shall apply to contracts entered into after the effective date of this act. Insecurity
History of Section.
(P.L. 2015, ch. 138, § 2; P.L. 2015, ch. 148, § 2.)



Disclaimer: The text of this law may not be the most recent version. We make no warranties or representations about the accuracy, completeness, or adequacy of the information contained on this site. Please check official sources.