It is not uncommon these days to open the newspaper to reports of businesses fallen victim to cyber attacks. But, while front page news tends to focus on security breaches of companies of the “fortune 500” caliber, cyber attacks waged upon small family and middle market businesses actually occur with greater frequency. In an article published in 2015 by SEC Commissioner Luis A. Aguilar, “The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses,” the author notes that the FBI reports that ransomware attacks, standing alone, cost companies around the world more than $1 billion between October 2013 and June 2015. While companies of all sizes have lost money to such schemes, small and medium-sized businesses are believed to be the biggest targets.

In response, the Rhode Island General Assembly adopted the Rhode Island Identity Theft Protection Act of 2015. Effective at the end of July 2016, the law is a consumer protection-based statute, which places new responsibilities upon businesses operating in Rhode Island to protect consumer data and to notify consumers in the event of a security breach. Some of the more critical components of the Act, from the business owner and operator perspectives, are as follows:

1. The Act now mandates that all businesses, regardless of size or industry, adopt “risk- based” cybersecurity policies and procedures to secure consumer information and to address cybersecurity breaches. The law requires that these procedures – which should be solidified in written policy form- must be bespoke to the business adopting them. In other words, a businesses’ cybersecurity policy should be one that is appropriate for the size and nature of the business, as well as the information collected and stored. The security policy must also set forth procedures for the safe and timely destruction of consumer personal information, including policies which mandate the retaining of personal information only for such period of time as may be required for the business to provide the goods or services for which it was engaged to provide.

2. The Act also provides for expedited notice requirements to consumers in the event of a data breach. Businesses must now notify consumers of breaches as soon as possible, but no later than 45 days after the breach is discovered. Moreover, businesses who suffer information breaches involving more than 500 Rhode Island residents are required to notify the Office of the Attorney General and major credit card reporting agencies.

3. The Act has teeth. Rhode Island businesses that suffer a security breach and do not have a security policy in place and/or which fail to meet the notification requirements of the Act, are subject to substantial penalties: $100 per record for “reckless”, and $200 per record for “willful” violations. Whereas the predecessor Rhode Island law provided a cap on the amount of damages a business would pay for falling short of statutory requirements in relation to the protection of consumer data ($25,000), the new law removes this finite cap. Accordingly, a substantial data breach, coupled with company noncompliance with the Act could result in business paying substantial penalties.

The only way to avoid penalties under the Act is to adopt written cybersecurity procedures, and for business to follow the “letter of the law.” A business attorney familiar with the Act and the workings of business organizations is likely in the best position to assist in tailoring requisite policies and procedures. If you are interested in learning more about how to protect to business or organization against cyber attacks, contact business lawyer Benjamin L. Rackliffe at or email We welcome your comments, questions and suggestions.