Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Most expedient time possible but no later than 45 days
Government Notification Required: Yes, if >500 residents notified
Scope of this Summary:
Notification requirements applicable to persons who store, own, collect, process, maintain, acquire, use, or license covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification of a breach is not required if, after an appropriate investigation, it is determined that the breach has not and will not likely result in a significant risk of identity theft to the individuals whose personal information was acquired.
Unauthorized access or acquisition that materially compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted so long as encryption key was not accessed or acquired.
Form of Covered Information
Electronic or Paper
An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number.
- Driver's license number, Rhode Island identification card number, or tribal identification number.
- Account number, credit or debit card number, in combination with any required security code, access code, password, or personal identification number that would permit access to an individual's financial account.
- Medical information, meaning any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional or provider.
- Health insurance information, meaning an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual.
- E-mail address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance or financial account.
Consumer Notice Timing
Must be made in the most expedient time possible but no later than 45 days after confirmation of the breach and the ability to ascertain information that must be included in the consumer notice.
Consumer Notice Method
By written notice or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
- Notifications to individuals must include the following information to the extent known:
- A general and brief description of the incident, including how the security breach occurred and the number of affected individuals.
- The type of information that was subject to the breach.
- Date of breach, estimated date of breach or the date range within which the breach occurred.
- Date that the breach was discovered.
- A clear and concise description of any remediation services offered to affected individuals including toll-free numbers and websites to contact: the major credit reporting agencies, remediation service providers and the attorney general.
- A clear and concise description of the consumer's ability to file or obtain a police report; how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze; and that fees may be required to be paid to the Consumer Reporting Agencies.
Notification may be delayed if law enforcement determines and notifies the entity that notice will impede a criminal investigation.
If more than 500 residents are notified, must notify the Attorney General of timing, distribution, and content of the consumer notice and the number of affected individuals. Notification may not delay consumer notice.
Consumer Reporting Agency Notice
If more than 500 residents are notified, must notify the major Consumer Reporting Agencies of timing, distribution, and content of the consumer notice and the number of affected individuals. Notification may not delay consumer notice.
Exceptions to Other Laws
Entities subject to and comply with the Health Insurance Portability and Accountability Act (HIPAA). Entities that comply with the notification requirements of their primary or functional federal regulators as defined in 15 USC § 6809(2).
In Rhode Island, any state agency or person that maintains computerized unencrypted data that includes personal information it does not own must directly notify the affected persons of the breach.
Private Right of Action
The Rhode Island general breach notification statute does not provide for a private cause of action.
Violations may result in civil penalties.