Last month, Rhode Island enacted a brand new cybersecurity legislation considerably tightening cybersecurity necessities for nonbank monetary establishments inside the state, largely mirroring the framework established by the New York Department of Financial Services (NYDFS).
The legislation, efficient instantly, applies to nonbank monetary establishments licensed by the state’s Department of Business Regulation and alerts a rising pattern of states, particularly Democrat-controlled states, advancing extra prescriptive cybersecurity requirements for monetary establishments and their nonbank rivals.
Rhode Island handed the legislation because the Trump administration relaxed rulemaking and enforcement of federal businesses, together with people who regulate cybersecurity at nonbank monetary establishments, such because the Consumer Financial Protection Bureau and Federal Trade Commission.
The new legislation is one other sew in an more and more numerous patchwork of state-specific cybersecurity rules, some extremely much like these of New York, others much less so.
Key necessities for lined firms
Rhode Island Senate Bill 603 mandates a number of normal cybersecurity practices for lined entities, successfully mirroring these of the NYDFS cybersecurity regulation.
Information safety program: Companies should “develop, implement, and preserve a complete info safety program” that features “administrative, technical and bodily safeguards.”
This program should be applicable for the establishment’s measurement, complexity, actions, use of third-party service suppliers, and the sensitivity of buyer info it handles, based on the legislation. The legislation additionally requires a certified particular person to supervise this system.
Risk assessments: Covered establishments should “carry out a danger evaluation that identifies fairly foreseeable inner and exterior dangers to the safety, confidentiality, and integrity of buyer info,” based on the legislation. They should additionally “periodically carry out further danger assessments.”
Technical controls: The legislation requires implementing “technical and administrative controls.” These should embrace encryption, multifactor authentication and entry controls.
Encryption: Companies should shield “all buyer info held or transmitted each in transit over exterior networks and at relaxation.” If encryption is infeasible, firms might use “efficient different compensating controls.”
Multifactor authentication: Companies should implement “multi-factor authentication for any particular person accessing any info system” except a certified particular person approves equal or safer controls in writing.
Access controls: Companies should periodically assessment “entry controls, together with technical and as applicable, bodily controls” to authenticate approved customers and restrict their entry to solely obligatory buyer info.
Regular testing: Companies should conduct “yearly penetration testing” and “twice-yearly vulnerability scans.” They should additionally recurrently check “the effectiveness of the safeguards’ key controls, programs, and procedures.”
Incident response plan: The legislation requires a “written incident response plan designed to promptly reply to, and get well from, any safety occasion materially affecting the confidentiality, integrity, or availability of buyer info.”
Service supplier oversight: Institutions should “take affordable steps to pick and retain service suppliers which might be able to sustaining applicable safeguards” and write into contracts with service suppliers necessities to “implement and preserve such safeguards.”
Annual reporting: A “certified particular person” should report in writing, at the very least yearly, to the board of administrators or a senior officer concerning the “total standing of the knowledge safety program and compliance” and “materials issues associated to the knowledge safety program.”
Business continuity: Companies should “set up a written plan addressing enterprise continuity and catastrophe restoration.”
How Rhode Island’s legislation differs from New York’s
While the Rhode Island legislation intently mirrors NYDFS laws, there are some key variations.
Breach notification timeline: Rhode Island’s legislation provides lined monetary establishments “some welcome leeway relative to the NYDFS requirement,” based on an evaluation by legislation agency Cooley.
It requires notification to the director of the Rhode Island Department of Business Regulation “inside three enterprise days of figuring out a safety occasion has occurred.” In distinction, NYDFS requires discover inside 72 hours, no matter whether or not the interval contains non-business days.
Notification triggers: While the precise definitions of what constitutes a safety occasion differ between Rhode Island and New York, the most important operational distinction is what triggers a notification to the state about an occasion. If an occasion meets any of the next standards, a enterprise should report the incident to the Rhode Island Department of Business Regulation:
It triggered an present incident notification requirement, similar to in one other state or federal legislation.It “has an inexpensive probability of materially harming any client residing in Rhode Island.”It “materially impacts the traditional operations of the corporate.”
While New York’s regulation shares the primary standards, “materials hurt” to customers doesn’t set off a notification in New York. Rather, NYDFS requires notification if the occasion ends in the deployment of ransomware.
Ambiguity with “notification occasion”: The Rhode Island legislation additionally features a definition for a notification occasion: the “acquisition of unencrypted buyer info with out the authorization of the person to which the knowledge pertains.”
However, the legislation finally makes use of “safety occasion” because the set off for notifying the regulator, “probably inflicting confusion over which definition ought to prevail when assessing whether or not to inform the Department of Business Regulation,” based on Cooley.
Data retention limits: Rhode Island Senate Bill 603 imposes particular information retention limits, requiring lined monetary establishments to “destroy buyer info in any format no later than two years after the final date the knowledge is utilized in reference to the availability of a services or products to the shopper,” except exceptions apply.
Exceptions embrace info obligatory for enterprise operations, required by different legislation or regulation, or the place focused disposal isn’t fairly possible.
No annual certification: Unlike NYDFS rules, Rhode Island’s legislation doesn’t require firms to yearly certify compliance with the state regulator, based on Cooley.
Key variations from different state legal guidelines
The pattern towards extra granular and proactive state-level cybersecurity oversight at nonbank monetary establishments is rising, based on Cooley.
For instance, North Dakota’s House Bill 1127, efficient August 1, requires discover inside 45 days for safety incidents affecting 500 or extra customers, a far cry from New York’s 72-hour rule.
Nevada’s Senate Bill 44, efficient January 1, 2026, ties licensed monetary establishments to the FTC’s Safeguards Rule and requires notification inside 30 days for “notification occasions” impacting 500 or extra clients.
