Security Breach Notice Law in the State of Rhode Island

R.I. Gen. Laws § 11-49.2-1 is a data breach notification law that was enacted in the U.S. state of Rhode Island in 2005 and went into effect the following year in 2006. In instances where a data or security breach occurs, R.I. Gen. Laws § 11-49.2-1 establishes the legal protocol that must be followed as it concerns protecting the personal information of citizens within Rhode Island. To this point, the law also sets forth the penalties that can be imposed against businesses and organizations within the state that fail to comply with the provisions of the law when a data or security breach takes place.

What is the scope and application of R.I. Gen. Laws § 11-49.2-1?

As it pertains to the scope and application of R.I. Gen. Laws § 11-49.2-1, the provisions laid out in the law are applicable to any “municipal agency, state agency, individual, sole proprietorship, partnership, association, corporation, or joint venture, business or legal entity, trust, estate, cooperative or other commercial entity (collectively, Entity) that stores, owns, collects, processes, maintains, acquires, uses or licenses data that includes PI.” Conversely, entities within Rhode Island that maintain “own security breach procedures as part of an information security policy for the treatment of PI and otherwise complies with the timing requirements of the statute, shall be deemed to be in compliance.”

What are the data breach notification requirements under R.I. Gen. Laws § 11-49.2-1?

R.I. Gen. Laws § 11-49.2-1 mandates that any entity within the state of Rhode Island provide data breach notifications to all affected individuals and parties, in either written or electronic form, should a data breach occur. Moreover, these data breach notifications must provide residents within the state with the following information:

• A brief description of the event surrounding the data breach, including the number of Rhode Island residents that were affected by the breach, as well circumstances that lead to the breach, in general terms.
• The types of personal information that were subject to the breach.
• The approximate date, estimated date, or range of dates upon which the breach occurred.
• The date on which the breach was discovered.
• A clear and concise description of any remediation services that the affected entity is offering to affected individuals within Rhode Island, including the contact information needed to contact the three major credit reporting agencies in the U.S., any applicable remediation service providers, and the Rhode Island attorney general.
• A clear and concise description outlining the rights of consumers to file a police report, the procedural steps and information that are required to request a credit report freeze, and any fees associated with such a request.

What types of personal information are covered under R.I. Gen. Laws § 11-49.2-1?

In accordance with the provisions of R.I. Gen. Laws § 11-49.2-1, the following types of personal information are legally protected from disclosure in the event that a data breach occurs, in combination with a Rhode Island resident’s first name or first initial and last name, in instances where these data elements are in a hard copy format or have not been encrypted:

• Social security numbers.
• Drivers license numbers, Rhode Island identification card numbers, and tribal identification card numbers.
• Financial account numbers, debit, and credit card numbers, and any other applicable passwords, security codes, passwords, or access codes that could be used to permit access to a Rhode Island resident’s financial account.
• Email addresses, as well as any required passwords, access codes, or security codes that could be used to permit access to a Rhode Island resident’s personal, insurance, medical, or financial account.
• Medical and health insurance information.

In terms of the enforcement of the law, the provisions of R.I. Gen. Laws § 11-49.2-1 are enforceable by the Rhode Island attorney general. Subsequently, the Rhode Island attorney general has the authority to impose monetary penalties against individuals, businesses, and organizations within the state that are found to be in violation of the law. Such punishments include a fine of up to $100-$200 for each personal record that is compromised during the course of a data breach, depending on whether or not the violations were committed willfully. Furthermore, R.I. Gen. Laws § 11-49.2-1 also gives in the Rhode Island attorney general the authority to “bring an action in the name of the state against the business or person in violation.”

How can businesses within Rhode Island protect themselves from data breaches?

While any business that consistently collects and processes personal information will eventually be faced with a scenario in which a data breach occurs, there are measures that can be taken to ensure that personal information remains secure during such attacks. To provide an example of this, businesses can utilize automatic redaction software programs to protect the personal information they use in their respective operations. As these software programs effectively render personal information unreadable or unusable, a business that has redacted certain forms of personal information will still be protected should this information become compromised during a data breach. As such, these businesses can also avoid the hefty fines and penalties that can be imposed against entities that fail to comply with data breach legislation such as R.I. Gen. Laws § 11-49.2-1.

As a large portion of the American population currently makes use of the internet during the course of their daily routine, be it in the form of social media usage or online classes during the worldwide COVID-19 pandemic, legislation that protects American consumers from the adverse effects of data breaches are of the utmost importance. With this being said, although some aspects of R.I. Gen. Laws § 11-49.2-1 are somewhat archaic when compared with other such laws around the country that have been updated in recent years, the provisions that were created in 2006 still provide residents of the state with a strong level of protection as it pertains to data and security breaches. To this end, the law provides Rhode Island residents with the legal means to seek both justice and compensation for any damages they experience as a result of having their personal information improperly disclosed or compromised during the course of a data breach.