The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
Rhode Island
Data Breach Notification Statute
Highlights
Covered Entities: A municipal or state agency, individual, sole proprietorship, partnership, association, corporation, joint venture, business, legal entity, trust, estate, cooperative, or other commercial entity that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information.
Consumer Notification: Notification must be provided to Rhode Island residents whose personal information is disclosed or pursuant to a “breach” that poses a significant risk of identity theft or is reasonably believed to have been acquired without authorization.
Regulatory Notification: Notification must be made to the Rhode Island Attorney General if more than 500 Rhode Island residents are notified.
Notification Timeline: Notification must be made “in the most expedient time possible, but no later than forty-five (45) calendar days” following confirmation of a “breach” and the ability to ascertain information necessary to provide notification.
Data Format: Electronic and hard copy (paper)
Citations: R.I. Gen. Law §§ 11-49.3-1 to 11-49.3-6
More Details
Definitions:
- Breach: Unauthorized access or acquisition of unencrypted, computerized data that compromises the security, confidentiality, or integrity of personal information.
- Personal information (PI):
- An individual’s first name / first initial and last name in combination with any of the following data elements:
- Social Security number;
- Driver’s license, state identification card number, or tribal identification number;
- Financial account or payment card number plus any security code, access code, password, or personal identification number that would permit access to a financial account;
- Medical / health insurance information.
- E-mail address plus a security code, access code, or password that would permit access to a personal, medical, insurance, or financial account.
- An individual’s first name / first initial and last name in combination with any of the following data elements:
- Medical Information: Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis.
- Health Insurance Information: An individual’s health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer to identify the individual.
Safe Harbors:
- Encryption: Notification is not required where the potentially impacted PI is encrypted, so long as the encryption key, security code, or password was not also acquired that would permit access to the data.
- Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent for the purposes of the agency, so long as the PI is not used or subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required if the “breach” does not pose a significant risk of identity theft.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
Direct Notice:
- Timing: Notification must be made “in the most expedient time possible, but no later than forty-five (45) calendar days” following confirmation of a “breach” and the ability to ascertain information necessary to provide notification.
- Format: N/A
- Content: Notification must include:
- A general description of the breach incident and the number of affected individuals;
- Types of PI that were impacted
- Estimated date / date range of the breach;
- Date of discovery of the breach;
- A clear and concise description of any remediation services offered, including toll free numbers and websites to contact (i) credit reporting agencies; (ii) remediation services providers; and (iii) the Rhode Island Attorney General; and
- A clear and concise description of the individual’s ability to file a police report; how an individual may request a credit freeze and the information necessary to request a credit freeze; and that fees may be required to be paid to the consumer reporting agencies
- Method: Notification may be provided by (1) written notice; (2) electronic notice, if consistent with the provisions regarding electronic records and signatures in 15 U.S. Code § 7001; or (3) substitute notice.
Substitute Notice:
An entity may provide substitute notice if the entity demonstrates (1) the cost of direct notice would exceed $25,000; (2) the notification population exceeds 50,000; or (3) the entity does not have sufficient contact information. It must consist of (1) e-mail notice, where an email address is available; (2) conspicuous posting on the entity’s webpage; and (3) notice to major statewide media.
Remediation Services:
N/A
Regulatory Notice:
Notification must be made to the Rhode Island Attorney General if more than 500 Rhode Island residents are notified.
Credit Reporting Agencies Notice:
Notification must be made to the major consumer reporting agencies if more than 500 Rhode Island residents are notified.
Third-Party Notice:
N/A
HIPAA:
A provider of health care, health care service plan, health insurer, or covered entity governed by the medical privacy and security rules issued by the Federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPPA) will be deemed in compliance with this chapter.
Private Action:
N/A
Associated Regulations:
- Information Security Standard (R.I. Gen Laws §§ 11-49.3-2 – 11-49.3-6)
Information Security Standard
Highlights
Covered Entities: A municipal agency, state agency, or entity that stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident
First Party Security Standard: A municipal agency, state agency, or entity that stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident shall implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure and to preserve the confidentiality, integrity, and availability of such information.
Third Party Security Standard: A municipal agency, state agency, or entity that discloses personal information about a Rhode Island resident to a nonaffiliated third party shall require by written contract that the third party implement and maintain reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure. The provisions of this section shall apply to contracts entered into after the effective date of this act.
Disposal/Destruction Standard: A municipal agency, state agency, or entity shall not retain personal information for a period longer than is reasonably required to provide the services requested; to meet the purpose for which it was collected; or in accordance with a written retention policy or as may be required by law. A municipal agency, state agency, or person shall destroy all personal information, regardless of the medium that such information is in, in a secure manner, including, but not limited to, shredding, pulverization, incineration, or erasure.
Data Format: Electronic and Paper.
Citations: R.I. Gen Laws §§ 11-49.3-2 – 11-49.3-6
More Details
Definitions:
- Personal Information (PI): An individual’s first name or first initial and last name in combination with one (1) or more of the following data elements, when the name and data elements are not encrypted or are in hard copy, paper format:
- Social Security number;
- Driver’s license number, Rhode Island identification card number, or tribal identification number
- Account number, credit, or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an individual’s financial account; or
- Medical or health insurance information.
E-mail address with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial account.
Methods of Compliance:
Implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected. Methods include, but are not limited to, shredding, pulverization, incineration, or erasure.
Exclusions:
- Health Care: N/A
- Financial: N/A
- Other: N/A
Enforcement/Penalties:
Whenever the attorney general has reason to believe that a violation of this chapter has occurred and that proceedings would be in the public interest, the attorney general may bring an action in the name of the state against the business or person in violation. Each reckless violation of this chapter is a civil violation for which a penalty of not more than $100 per record may be adjudged against a defendant. Each knowing and willful violation of this chapter is a civil violation for which a penalty of not more than $200 per record may be adjudged against a defendant.
Associated Regulations:
N/A