Gov. Daniel J. McKee may have proclaimed October as Cybersecurity Awareness Month in Rhode Island – aligning with a nationwide effort to combat the escalating threat of data breaches hitting businesses, nonprofits and government agencies – but for more than 6,000 Rhode Islanders, this awareness will come a little too late.
Letters now being mailed by Brightstar Global Solutions Corp., a rebranded lottery subsidiary of International Game Technology PLC, have been informing those residents that their personal data may have been compromised for nearly a year, making them more vulnerable to criminal exploitation.
According to state law, the R.I. Office of Attorney General must be notified within 45 days if a data breach affects the personal information of more than 500 state residents. However, the clock only begins after an organization investigates the breach, not when the breach is first discovered.
In this case, Brightstar identified a security breach on Nov. 10, 2024, but only ended its internal investigation in August, allowing the company to notify the public in October without violating state law.
Brightstar spokesperson Michael DeAngelis said most of the 6,300 Rhode Island residents affected are former or current employees of the company.
But legal action swiftly followed the breach notification, with a civil class-action lawsuit targeting Brightstar in both Rhode Island and Nevada courts.
Lead attorney Peter Wasylyk – a former state representative who is also representing victims of a cyber breach involving Deloitte Consulting – stated in court filings that those affected by the breach have suffered "irreparable harm," and he is seeking $5 million in damages.
The cyberattack was not a total secret. Shortly after it happened in 2024, Brightstar referred to the breach in a U.S. Securities and Exchange Commission filing, which was reported by several financial news websites.
The slow notification of those affected has angered some.
In the previous legislative session, state Rep. Robert D. Phillips, D-Woonsocket, proposed an amendment to the Identity Theft Protection Act aimed at eliminating the notification threshold, but he said the bill failed in committee partly from opposition by the business lobby who argued it could overwhelm smaller businesses with regulatory compliance costs.
Cybersecurity experts highlight that Social Security numbers can fetch over 10 times the value of credit card details on the black market, and notifying victims of a data breach quickly can help reduce the damage.
“I know there are a lot of competing interests,” Phillips said. “It is about what did they know and when did they know it? Just disclose that it happened and then you can do your investigation.”
He vowed to reintroduce the legislation in the next session.
Contrasting approaches to breach notifications are being seen in neighboring states.
Connecticut requires that data breaches be reported to the attorney general and affected consumers within 60 days of their discovery. Officials have begun issuing “warning letters” to companies "aimed at addressing a troubling trend of breach notice timelines stretching out many months from breach discovery in violation of Connecticut law."
Spokesperson Kaitlyn Krasselt confirmed that Brightstar is under investigation by the Conn. Department of Consumer Protection and the Conn. Office of the Attorney General.
As for the 1,483 Massachusetts residents potentially affected by the Brightstar breach, Kennedy Sims, spokesperson for Mass. Attorney General Andrea Joy Campbell, would not confirm, deny or comment on any investigation.
The breach occurred just a few days after Everi Holdings investors approved a transaction in which that company will combine with IGT’s global gaming and PlayDigital units and be acquired by an affiliate of private equity firm Apollo Global Management.
Companies in the business of collecting and storing large amounts of data, such as those in the gaming and lottery sector, are particularly vulnerable with the introduction of digital gambling, observers say.
Indeed, a 2020 audit by the R.I. Auditor General Dennis E. Hoyle said that for both mobile sports betting and iLottery, the "risks are increased through external devices (phones and computers) accessing the gaming platforms.”
“The Lottery’s challenges in monitoring diverse gaming activities include the overall cybersecurity threats common to all information technology, as well as the more specific risks associated with rapid technology deployments that provide new gaming options," the auditor's report said.
R.I. Attorney General Peter F. Neronha was not made available for comment to answer questions about whether the breach notification law should be changed. But spokesperson Timothy Rondeau confirmed that the office is now posting all data breach notifications received since Jan. 1.
A review of these filings shows that some companies have had quicker responses.
For example, real estate advisory firm Peregrine Group LLC was alerted to suspicious activity on April 16 and, with the help of a third-party forensics firm, affirmed a breach by June 16. The company had the information and potential victims by July 22. Letters were sent on Sept. 10.
Phillips said he believes this should set a standard for future incidents. And Rhode Island's laws should evolve with both emerging technology and criminal tactics.
“These criminals are always one step ahead,” he said. "But the right to know should not depend on the number of people affected.”
