R.I. Gen Laws §§ 11-49.3-2 to 11-49.3-6 |
---|
Type of Data Covered | Deadline for Notification | Government Notice |
---|---|---|
Electronic or Paper. | Most expedient time possible, but no later than 45 days. | Yes – notify Attorney General if more than 500 residents notified. |
Subject Entities |
Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law. |
Definition of Personal Information |
First name or first initial and last name, in combination with one or more of the following data sets when unencrypted or in a hard copy, paper format:
|
Definition of Breach |
Unauthorized access or acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information, excluding certain good faith acquisitions. |
Type of Data Covered |
Electronic or paper. |
Encryption Safe Harbor |
Statute does not apply to encrypted information. |
Risk of Harm Analysis |
Notification not required if breach or disclosure of personal information does not pose a significant risk of identity theft to any resident. |
Consumer Notice Requirements |
Timing: Most expedient time possible but no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to provide notice. Content: Notification must include the following information, to the extent known:
Method: By written notice, or electronic notice if consistent with the provisions regarding electronic records and signatures set forth in E-SIGN. Substitute notice is also available under certain circumstances. |
Substitute Notice Requirements |
Substitute notice may be provided if the cost of providing notice would exceed $25,000, that the affected class to be notified exceeds 50,000, or the entity does not have sufficient contact information. Substitute notice must consist of all of the following:
|
Delayed Notice Requirements |
Notification may be delayed if law enforcement determines that notice will impede a criminal investigation. |
Government Notice Requirements |
If more than 500 Rhode Island residents are notified, a sample copy of the consumer notification letter must be submitted to the Attorney General, along with the approximate number of affected individuals. Per 230-RICR-20-60-8.11, entities subject to state insurance regulations must also notify the Rhode Island Department of Business. |
Consumer Reporting Agency Obligations |
If more than 500 Rhode Island residents are notified, a sample copy of the consumer notification letter must be submitted to the major consumer reporting agencies, along with the approximate number of affected individuals. |
Potential Penalties |
Violations may result in civil penalties and other remedies. Reckless violations of the statute may result in penalties up to $100 per record. Knowing and willful violations may be penalized up to $200 per record. |
Notification Requirements for Government Agencies |
Please see the statute for specific requirements and/or penalties for applicable government agencies. |
Last updated: January 2024