Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

RHODE ISLAND DATA PRIVACY REGULATIONS

Did You Know?

 
  • New statutes are effective as of July 2, 2016
  • A risk-based information security program is mandatory including procedures and practices for data security, retention, destruction, and 3rd-party contracts
  • Breach notifications must be made within 45 days after breach confirmation and the ability to ascertain the information required to fulfil the notice requirements
  • The state attorney general and credit reporting agencies may need notified
  • Specific information must be provided in the consumer notification
  • Reckless violations could be up to $100 per record; willful violations could be up $200 per record

Who Me?

 

Rhode Island breach and notification laws may apply if you are a municipal agency, state agency or person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information.
 
The statutes do not differentiate notification responsibility between a data owner or a third-party provider; however, data owners must require by contract that their third-parties implement and maintain security procedures and practices. 

There are exceptions based on a person that is already under particular federal laws.

What is PII?

 

PII relevant to a breach in Rhode Island usually includes an individual’s name with one or more of the following:

  • Social security number;
  • Driver license number;
  • State or tribal identification number;
  • Account or credit/debit card numbers,required security code, etc., that permits access to their financial account;
  • Medical or health insurance information;
  • Email address with any required security code, etc., that permits access to their personal, medical, insurance or financial account.

LAWS

APPLICABLE LAW

Applicable statutes include, but are not limited to:

Title 11 – Criminal Offenses

Chapter 11-49.3 Identify Theft Protection Act of 2015 §11-49.3: 1 through 6

RELATED LAWS

A few applicable statutes include, but are not limited to:

Title 11 – Criminal Offenses

Chapter 11-49.3 Identify Theft Protection Act of 2015 §11-49.3: 1 through 6

Title 6 – Commercial Law – General Regulatory Provisions

Chapter 6-52 Safe Destruction of Documents Containing Personal Information

PENALTIES

COMPLIANCE PENALTIES

It’s statutes may include:

  • Reckless violations could be up to $100 per record; willful violations could be up $200 per record Under Title 6, Chapter 6-52 Safe Destruction of Documents Containing Personal Information;
  • State Attorney General may bring an action for actual damages of the aggrieved customer and a civil penalty of $500 per each violation, not to exceed $50,000;
  • Customers who incur actual damages may bring civil action.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If the data was encrypted or in hard copy, paper format;
  • If the access or acquisition was unauthorized or subject to further disclosure;
  • If there is a significant risk of identity theft.

TIME LIMITS

The notifications must be made in the most expedient time possible, but no later than forty-five (45) calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements, unless law enforcement advises the person it will interfere with an investigation.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

Disclosure may be made by written notice or electronically (with stipulations). Specific information must be contained in the notifications.

A substitute notice, with specific requirements, may be sent if the person demonstrates that the cost of providing the notice would exceed $25,000, or the persons to be notified exceeds 50,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR