24/7 Rapid Response - On Call Transportation Attorneys | 24/7 Data Breach Response - breachresponse@lewisbrisbois.com

Rhode Island Information Security Standards Summary

R.I. Gen Laws §§ 11-49.3-2 – 11-49.3-6

 

Subject Entities

Applies to all businesses, governmental agencies, and any other entities that otherwise handle personal information under the statute.

Security Standard

Must implement and maintain a risk-based information security program that contains reasonable security procedures and practices to protect personal information from unauthorized access, use, modification, destruction or disclosure, and to preserve confidentiality, integrity, and availability of such information.

Disposal/Destruction

Standard

May not retain personal information for a period longer than: reasonably required to provide requested services or meet the purpose for its collection; pursuant to a written retention policy; or as required by law.

Applicable To

Any person, entity, or municipal or state government agency who stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident.

Types of Data Covered

Electronic and Physical.

Definitions

Personal Information” means an individual’s first name or first initial and last name, in combination with one or more of the following data sets when unencrypted or in a hard copy, paper format:

  • Social Security number; 
  • Driver’s license, state identification card, or tribal identification number;
  • Account number, credit, or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an resident’s financial account;
  • Medical information; 
  • Health insurance information; or
  • A username or email address, in combination with a password or security question answer that would permit access to an individual’s financial account.

Methods of Compliance

Implement and maintain a risk-based information security program that has reasonable security procedures and practices appropriate to the: 

  • Size and scope of the organization; 
  • The nature of the information; and 
  • The purpose for which the information was collected.  

If personal information is disclosed to a third party, must contractually require the third party to implement and maintain reasonable security procedures and practices to protect the information from unauthorized access, use modification, destruction, or disclosure.

Must destroy all personal information in a secure manner. Includes but not limited to shredding, pulverizing, incinerating, or erasure.

Enforcement

Violations may result in a civil action by the Attorney General.

Penalties

Violations may result in civil penalties and other remedies. Reckless violations of the statute may result in penalties up to $100 per record. Knowing and willful violations may be penalized up to $200 per record.

 

Last updated: January 2024