Rattled by RIPTA breach that affected 22,000, lawmakers propose policy changes
Lawmakers say that last year's breach of Rhode Island Public Transit Authority computer systems highlighted glaring problems with the way the state responds to the theft of people's personal data.
About 22,000 former and current state employees were affected by the breach, which occurred when hackers got hold of unsecured files containing years' worth of health insurance billing data. The incident sparked widespread frustration, and Sen. Louis DiPalma, D-Middletown, and others hope that the result will be concrete policy changes.
"Let’s seize this opportunity," DiPalma said.
DiPalma's bill, S 2664, is designed to expand the protections and reporting requirements outlined in the Identity Theft Protection Act of 2015. A companion bill, H 7884, was introduced in the House by Rep. Terri Cortvriend, D-Middletown.
Lawmakers say that last year's RIPTA breach highlighted several aspects of state law that need to change.
Lawmakers say that last year's RIPTA breach highlighted several aspects of state law that need to change.
KATHY BORCHERS/THE PROVIDENCE JOURNAL, FILE
"Everything that’s in the bill is a result of the oversight hearing we had," DiPalma told The Providence Journal, referring to a Senate Oversight Committee hearing that he chaired in February, in which RIPTA officials and the state's Department of Information Technology were grilled about what had gone wrong.
What the bill would do
Here's what the bill would do:
-Give state agencies 15 days to notify people whose information may have been compromised, rather than 45.
One major complaint from current and former state employees after the RIPTA breach was that they didn't learn they might have been affected until late December, even though the breach happened in August.
"Forty-five days is too long," DiPalma said. He suspects that there may be some pushback to the 15-day requirement, "and I will tell them to ask the 22,000 Rhode Islanders if 45 days is OK."
Previous coverage: Number affected by RIPTA breach rises to 22,000; UnitedHealthcare is no-show at hearing
-Require unions to be notified about breaches, if the affected employees are covered by a collective bargaining agreement.
"Labor union representatives can find a way to notify their members and get the information out pretty quickly, compared to what the state can do in some cases," DiPalma said.
About 22,000 former and current state employees were affected by the breach, which occurred when hackers got hold of unsecured files containing years' worth of health insurance billing data. The incident sparked widespread frustration, and Sen. Louis DiPalma, D-Middletown, and others hope that the result will be concrete policy changes.
"Let’s seize this opportunity," DiPalma said.
DiPalma's bill, S 2664, is designed to expand the protections and reporting requirements outlined in the Identity Theft Protection Act of 2015. A companion bill, H 7884, was introduced in the House by Rep. Terri Cortvriend, D-Middletown.
Lawmakers say that last year's RIPTA breach highlighted several aspects of state law that need to change.
Lawmakers say that last year's RIPTA breach highlighted several aspects of state law that need to change.
KATHY BORCHERS/THE PROVIDENCE JOURNAL, FILE
"Everything that’s in the bill is a result of the oversight hearing we had," DiPalma told The Providence Journal, referring to a Senate Oversight Committee hearing that he chaired in February, in which RIPTA officials and the state's Department of Information Technology were grilled about what had gone wrong.
What the bill would do
Here's what the bill would do:
-Give state agencies 15 days to notify people whose information may have been compromised, rather than 45.
One major complaint from current and former state employees after the RIPTA breach was that they didn't learn they might have been affected until late December, even though the breach happened in August.
"Forty-five days is too long," DiPalma said. He suspects that there may be some pushback to the 15-day requirement, "and I will tell them to ask the 22,000 Rhode Islanders if 45 days is OK."
Previous coverage: Number affected by RIPTA breach rises to 22,000; UnitedHealthcare is no-show at hearing
-Require unions to be notified about breaches, if the affected employees are covered by a collective bargaining agreement.
"Labor union representatives can find a way to notify their members and get the information out pretty quickly, compared to what the state can do in some cases," DiPalma said.
