AMP.legal - Data Breach Laws

Browse data breach notification laws in the United States by states or territories. This database currently includes breach statutes for a business that collects personal information. This database is for informational purposes only and may not be up-to-date. Please review our Terms of Service. Report any errors or issues to: webmaster@amp.legal.

Last Updated	Rhode Island breach law summary was last updated on 07/02/2017
Statute	R.I. Gen. Laws §§ 11-49.3-1 et seq. [View Source] [Download PDF]
Covered Entities	"Person" shall include any individual, sole proprietorship, partnership, association, corporation, joint venture, business, legal entity, trust, estate, cooperative, or other commercial entity.
Covered Information	"Personal Information" includes First Name (or First Initial) and Last Name PLUS one of the following: Social security number Driver's license number, Rhode Island identification card number, or tribal identification number Account number, credit, or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an individual's financial account Medical or health insurance information E-mail address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance, or financial account
Form of Information	Electronic
Breach Trigger	Unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information maintained by the municipal agency, state agency, or person.
Encryption Safe Harbor	No. Encrypted means the transformation of data through the use of a one hundred twenty-eight (128) bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Data shall not be considered to be encrypted if it is acquired in combination with any key, security code, or password that would permit access to the encrypted data.
Risk of Harm Analysis	Yes. Any municipal agency, state agency, or person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information shall provide notification as set forth in this section of any disclosure of personal information, or any breach of the security of the system, that poses a significant risk of identity theft to any resident of Rhode Island whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity.
Consumer Notice	Up to 45 days. Any municipal agency, state agency, or person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information shall provide notification as set forth in this section of any disclosure of personal information, or any breach of the security of the system, that poses a significant risk of identity theft to any resident of Rhode Island whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity. The notification shall be made in the most expedient time possible, but no later than forty-five (45) calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements contained in subsection (d) of this section, and shall be consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section.
Government Agency Notice	Yes, more than 500. In the event that more than five hundred (500) Rhode Island residents are to be notified, the municipal agency, state agency, or person shall notify the attorney general and the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals.
Credit Agency Notice	Yes, more than 500. In the event that more than five hundred (500) Rhode Island residents are to be notified, the municipal agency, state agency, or person shall notify the attorney general and the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals.
Penalties	Yes, up to $500 per record: (a) Each reckless violation of this chapter is a civil violation for which a penalty of not more than one hundred dollars ($100) per record may be adjudged against a defendant. (b) Each knowing and willful violation of this chapter is a civil violation for which a penalty of not more than two hundred dollars ($200) per record may be adjudged against a defendant. (c) Whenever the attorney general has reason to believe that a violation of this chapter has occurred and that proceedings would be in the public interest, the attorney general may bring an action in the name of the state against the business or person in violation.
Private Cause of Action	No.