R.I. Gen Laws §§ 11-49.3-2 – 11-49.3-6 |
---|
Subject Entities |
Applies to all businesses, governmental agencies, and any other entities that otherwise handle personal information under the statute. |
Security Standard |
Must implement and maintain a risk-based information security program that contains reasonable security procedures and practices to protect personal information from unauthorized access, use, modification, destruction or disclosure, and to preserve confidentiality, integrity, and availability of such information. |
Disposal/Destruction Standard |
May not retain personal information for a period longer than: reasonably required to provide requested services or meet the purpose for its collection; pursuant to a written retention policy; or as required by law. |
Applicable To |
Any person, entity, or municipal or state government agency who stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident. |
Types of Data Covered |
Electronic and Physical. |
Definitions |
“Personal Information” means an individual’s first name or first initial and last name, in combination with one or more of the following data sets when unencrypted or in a hard copy, paper format:
|
Methods of Compliance |
Implement and maintain a risk-based information security program that has reasonable security procedures and practices appropriate to the:
If personal information is disclosed to a third party, must contractually require the third party to implement and maintain reasonable security procedures and practices to protect the information from unauthorized access, use modification, destruction, or disclosure. Must destroy all personal information in a secure manner. Includes but not limited to shredding, pulverizing, incinerating, or erasure. |
Enforcement |
Violations may result in a civil action by the Attorney General. |
Penalties |
Violations may result in civil penalties and other remedies. Reckless violations of the statute may result in penalties up to $100 per record. Knowing and willful violations may be penalized up to $200 per record. |
Last updated: January 2024