24/7 Rapid Response - On Call Transportation Attorneys | 24/7 Data Breach Response - breachresponse@lewisbrisbois.com

Rhode Island Data Breach Notification Statute Summary

R.I. Gen Laws §§ 11-49.3-2 to 11-49.3-6

 

Type of Data Covered Deadline for Notification Government Notice
Electronic or Paper. Most expedient time possible, but no later than 45 days. Yes – notify Attorney General if more than 500 residents notified.

 

Subject Entities

Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law.

Definition of Personal Information

First name or first initial and last name, in combination with one or more of the following data sets when unencrypted or in a hard copy, paper format:

  • Social Security number; 
  • Driver’s license, Rhode Island identification card, or tribal identification number;
  • Account number, credit, or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an resident’s financial account;
  • Medical information;
  • Health insurance information; or
  • Email address with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial account.

Definition of Breach

Unauthorized access or acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information, excluding certain good faith acquisitions.

Type of Data Covered

Electronic or paper.

Encryption Safe Harbor

Statute does not apply to encrypted information. 

Risk of Harm Analysis 

Notification not required if breach or disclosure of personal information does not pose a significant risk of identity theft to any resident.

Consumer Notice Requirements

Timing: Most expedient time possible but no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to provide notice.

Content: Notification must include the following information, to the extent known:

  • A general and brief description of the incident, including how the security breach occurred and the number of affected individuals;
  • The type of information that was subject to the breach;
  • Date of breach, estimated date of breach, or the date range within which the breach occurred;
  • Date that the breach was discovered;
  • A clear and concise description of any remediation services offered, including toll free numbers and websites to contact: (i) credit reporting agencies; (ii) remediation service providers; and (iii) the Attorney General; and
  • A clear and concise description of the resident’s ability to file or obtain a police report; how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze; and that fees may be required to be paid to the consumer reporting agencies

Method: By written notice, or electronic notice if consistent with the provisions regarding electronic records and signatures set forth in E-SIGN. Substitute notice is also available under certain circumstances. 

Substitute Notice Requirements

Substitute notice may be provided if the cost of providing notice would exceed $25,000, that the affected class to be notified exceeds 50,000, or the entity does not have sufficient contact information.

Substitute notice must consist of all of the following:

  • Email notice when the entity has an email address for the affected residents;
  • Conspicuous posting of the notice on the entity’s Internet webpage, if it maintains one; and
  • Notification to major statewide media.

Delayed Notice Requirements 

Notification may be delayed if law enforcement determines that notice will impede a criminal investigation.

Government Notice Requirements

If more than 500 Rhode Island residents are notified, a sample copy of the consumer notification letter must be submitted to the Attorney General, along with the approximate number of affected individuals.

Per 230-RICR-20-60-8.11, entities subject to state insurance regulations must also notify the Rhode Island Department of Business.

Consumer Reporting Agency Obligations

If more than 500 Rhode Island residents are notified, a sample copy of the consumer notification letter must be submitted to the major consumer reporting agencies, along with the approximate number of affected individuals.

Potential Penalties 

Violations may result in civil penalties and other remedies. Reckless violations of the statute may result in penalties up to $100 per record. Knowing and willful violations may be penalized up to $200 per record.

Notification Requirements for Government Agencies

Please see the statute for specific requirements and/or penalties for applicable government agencies.

 

Last updated: January 2024