Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Rhode Island residents when the name and the data elements are not encrypted or are in hard copy, paper format.
Definition includes (i) medical information, (ii) health insurance information, and (iii) email address in combination with any required security code, access code, or password that would allow access to an individual’s personal, medical, insurance, or financial account.
“Security Breach” means unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information.
“Encrypted” means the transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Data will not be considered to be encrypted if it is acquired in combination with any key, security code, or password that would permit access to encrypted data.
“Health Insurance Information” means an individual’s health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer to identify the individual.
“Medical Information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional or provider.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person or legal commercial entity that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information.
Third party recipients:
Refer to covered entities subject to statute to determine if a third party recipient of personal information is implicated.
A covered entity that discloses computerized unencrypted personal information about a Rhode Island resident pursuant to a contract with a nonaffiliated third party must require by contract that the third-party implement and maintain reasonable security procedures and practices to protect the personal information.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach within the most expedient time possible but no later than forty-five (45) calendar days after confirmation of the breach and ability to ascertain information for notice unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Notice to affected residents is required to contain specific content described in statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $25,000, affected class exceeds 50,000 persons, or covered entity has insufficient contact information.
- Notification not required if security breach does not pose a significant risk of identity theft.
A person or business that owns or licenses computerized unencrypted personal information about a Rhode Island resident must implement and maintain a risk-based information security program that contains reasonable security procedures and practices to protect personal information.
Any covered entity that must notify more than 500 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the computerized personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted.
A covered entity is deemed in compliance with the Rhode Island statute if it complies with notification requirements or procedures imposed by its primary or functional federal regulator in the event of a security breach.
A covered entity is deemed in compliance with the Rhode Island statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Rhode Island statute.
A covered entity subject to HIPAA is deemed in compliance with Rhode Island’s statute.
A financial institution, trust company, or credit union in compliance with federal interagency guidelines is deemed in compliance with Rhode Island’s statute.
Notification to Regulator / Waiver
Attorney general must be notified if a single breach affects more than 500 residents. Notification will include information about timing, content, distribution of notices, and approximate number of affected individuals.
A determination of no likelihood of harm: Does not require notification to attorney general.
Each reckless violation is a civil violation for which a penalty of not more than $100 per record may be imposed.
Each knowing and willful violation is a civil violation for which a penalty of not more than $200 may be imposed.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute