State Agency Website
Timing of Consumer Notification
“Most expedient time possible but no later than 45 calendar days after confirmation of breach.”
Method of Notice
Mail. Email permitted if complies with E-SIGN.
Breach Definition
Unauthorized access or acquisition of unencrypted computerized data that compromises security, confidentiality, or integrity of PII.
PII Definition
Individual’s first name or first initial and last name in combination with any of these if unencrypted or in hard copy format:
  1. Social Security number;
  2. Driver license number, identification card number or tribal identification number;
  3. Account number or credit card number or debit card number in combination with any required security code, access code, password, or personal identification number that would permit access to financial account;
  4. Medical or health insurance information;
  5. Email address in combination with any required security code, access code, or password that would permit access to personal, medical, insurance, or financial account.
Third Party Notice
Not required.
How to Notify
Notice must include all: (a) general and brief description of incident, including how breach occurred and number affected; (b) type of information subject to breach; (c) date of breach, estimated date of breach, or date range within which breach occurred; (d) date breach discovered; (e) clear and concise description of remediation services offered to affected individuals including toll-free numbers and websites to contact credit reporting agencies, remediation service providers, and attorney general; and (f) clear and concise description of consumer’s ability to file or obtain police report; how consumer requests security freeze and necessary information to provide when requesting and that fees may have to be paid to consumer reporting agencies.
Substitute Notice
All: (a) email if entity has email address for subject persons; (b) conspicuous posting of notice on entity’s website if it maintains one; and (c) notification to major statewide media.
Credit Monitoring
Not required.
When to Notify Credit Agencies
If more than 500 Rhode Island residents must be notified.
This State's Law
Entities that maintain PII must implement and maintain risk-based information security program that contains reasonable security procedures and practices appropriate to size and scope of organization; nature of information; and purpose for which information collected.
State Government Agency Notification Required
Yes, Rhode Island Attorney General if more than 500 Rhode Island residents must be notified.