Rhode Island General Laws § 11-49.3-1 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
"Breach of the security of the system" means unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information maintained by the municipal agency, state agency, or person. Good-faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system; provided, that the personal information is not used or subject to further unauthorized disclosure."
When is notice required?
Notice is required for all affected residents "...in the most expedient time possible, but no later than forty-five (45) calendar days after confirmation of the breach and the ability to ascertain the information necessary to meet the notice requirements contained in subsection (d)...and shall be consistent with the legitimate needs of law enforcement..." If over 500 residents are affected then the Attorney General and consumer credit reporting agencies must receive notice as well. Subsection D sets out six pieces of information excerpted below:
"(1) A general and brief description of the incident, including how the security breach occurred and the number of affected individuals;
(2) The type of information that was subject to the breach;
(3) Date of breach, estimated date of breach, or the date range within which the breach occurred;
(4) Date that the breach was discovered;
(5) A clear and concise description of any remediation services offered to affected individuals including toll free numbers and websites to contact: (i) The credit reporting agencies; (ii) Remediation service providers; (iii) The attorney general; and
(6) A clear and concise description of the consumer's ability to file or obtain a police report; how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze; and that fees may be required to be paid to the consumer reporting agencies."
What are the penalties for non-compliance?
Violations have their own section of the law, § 11-49.3-5 which reads as follows:
"(a) Each reckless violation of this chapter is a civil violation for which a penalty of not more than one hundred dollars ($ 100) per record may be adjudged against a defendant.
(b) Each knowing and willful violation of this chapter is a civil violation for which a penalty of not more than two hundred dollars ($ 200) per record may be adjudged against a defendant.
(c) Whenever the attorney general has reason to believe that a violation of this chapter has occurred and that proceedings would be in the public interest, the attorney general may bring an action in the name of the state against the business or person in violation."