800.668.7020
M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.

Rhode Island Data Breach Laws: Notification Requirements and Fines

In Rhode Island, a business that experiences a data breach must investigate whether personal information could be misused. Businesses are legally required to notify affected Rhode Island residents as soon as possible by mail or electronic means. If the security breach affects more than 50,000 people, or the cost of notification exceeds $50,000, public service announcements are acceptable. Businesses that don’t comply with notification regulations can be fined up to $25,000.

Name of Law / Statute

Rhode Island Identity Theft Protection Act of 2005

Definition of Protected Information

Combination of (1) name or other identifying info, PLUS (2) one or more of these "data" elements: SSN; driver's license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes.

Who Is Subject to Law?

Any person or business conducting business in the state who licenses or owns PI

Notification of Consumers?

Yes, unless determination of no "identity theft risk" by the business or law enforcement

By what means?

Written or electronic

Substitute Notice Threshold?

If cost of notice >$25,000 or involves >50k residents

Notification of authorities / regulators required?

No

By what means?

N/A

Regulatory Fines

$100/occurrence, up to $25,000

Credit monitoring requirement?

No

Private lawsuits allowed?

Yes

Private damages cap?

Actual damages + costs, fees

Regulatory actions allowed?

Yes

HIPAA Compliance exemption?

Yes

Other  (e.g., timeframe)

Law does not apply if PI was encrypted

Link to complete law

http://webserver.rilin.state.ri.us/Statutes/title11/11-49.2/index.htm

Read the full text of Rhode Island’s data breach law.

70% of businesses raise prices or cut hiring when sued