Sometime between Aug. 3 and 5 last year, a hacker stole a sensitive file from the computer of a payroll clerk at the offices of the Rhode Island Public Transit Authority.
But it wasn’t until Dec. 21 that a letter was sent about the breach to the more than 17,000 state employees whose Social Security numbers, names, addresses, health insurance claim information and more were included in it.
Rep. Deborah Ruggiero, chairwoman of the House Innovation, Internet and Technology Committee, is sponsoring legislation that would establish a new state panel to ensure a swift response when such breaches occur within public agencies, and to require timely notification of those affected.
The legislation (2022-H 7883) creates a cybersecurity incident response group consisting of the leaders of the State Police, the National Guard, the Division of Information Technology, the Emergency Management Agency and the Secretary of State. The group would develop communication protocols for when there is a cybersecurity breach at a public agency or body, and make long-term plans for coordinating such reporting.
The legislation requires that any public agency or body that experiences a cybersecurity breach report it to that group and the Attorney General within 24 hours. The bill also requires the agency to notify the individuals whose information may have been included in the breach within 15 days, and notify credit reporting agencies.
“Cyber attacks are a reality of today’s world, and our state agencies must be equipped to handle them swiftly and appropriately. In 2022, it shouldn’t take months to notify people that their information was included in a data breach. The RIPTA situation demonstrated that our state needs to develop better protocols for cybersecurity,” said Representative Ruggiero (D-Dist. 74, Jamestown, Middletown).
The legislation also requires any agency affected by a cybersecurity issue to issue a secondary notification to the cybersecurity response group and the Attorney General detailing the agency’s practices to protect its data, including its corrective actions to address any deficiencies identified as a result of the experience.
“I would hope that all of our public agencies are reviewing their cybersecurity policies and making sure they are following up-to-date practices for protecting the personal information that exists in their records. What this bill aims to do is ensure that if a hacker does manage to get through that system, there is already a plan in place for how to rapidly notify those who need to know,” said Representative Ruggiero.
Source: Press releases published by Rhode Island General Assembly’s Legislative Press and Public Information Bureau