|R.I. Gen. Laws § 11-49.2-1 et seq. |
H.B. 6191 (became law without Governor’s signature July 10, 2005, Chapter 225)
Effective March 1, 2006
Application. A state agency, individual, partnership association, corporation or joint venture (collectively, Entity) that owns, maintains or licenses computerized data that includes PI.
Security Breach Definition. Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity.
Notification Obligation. Any Entity to which the statute applies shall disclose any breach of the security of the system which poses a significant risk of identity theft following discovery or notification of the breach in the security of the data to any resident of RI whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person or a person without authority, to acquire said information.
- Good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used or subject to further unauthorized disclosure.
Third-Party Data Notification. Any Entity that maintains computerized unencrypted data that includes PI that the Entity does not own shall notify the owner or licensee of the information of any breach of the security of the data which poses a significant risk of identity theft immediately following discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
- Notification of a breach is not required if, after an appropriate investigation or after consultation with relevant federal, state, or local law enforcement agencies, a determination is made that the breach has not and will not likely result in a significant risk of identity theft to the individuals whose PI has been acquired.
Timing of Notification. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Personal Information Definition. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
Notice Required. Notice may be provided by any of the following methods:
- Social Security Number;
- Driver license number or RI identification card number; or
- Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $25,000, or that the affected class of subject persons to be notified exceeds 50,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
- Written notice; or
- Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
Exception: Own Notification Policy. Any Entity that maintains its own security breach procedures as part of an information security policy for the treatment of PI and otherwise complies with the timing requirements of the statute, shall be deemed to be in compliance with the security breach notification, provided such Entity notifies subject persons in accordance with such Entity’s policies in the event of a breach of security.
- Email notice when the Entity has an email address for the subject persons;
- Conspicuous posting of the notice on the Entity’s Web site if the Entity maintains one; and
- Notification to major statewide media.
Exception: Compliance with Other Laws.
Penalties. Each violation is a civil violation for which a penalty of not more than $100 per occurrence and not more than $25,000 may be adjudged against a defendant.
- Compliance with Primary Regulator. Any Entity that maintains a security breach procedure pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator shall be deemed to be in compliance with the security breach notification requirements of this section, provided such Entity notifies subject persons in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or functional regulator in the event of a breach of security of the system.
- Federal Interagency Guidance. A financial institution, trust company, credit union or its affiliates that is subject to and examined for, and found in compliance with the Federal Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice shall be deemed in compliance with this chapter.
- HIPAA-Covered Entities. A provider of health care, health care service plan, health insurer, or a covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) shall be deemed in compliance with this chapter.
Other Key Provisions:
- Delay for Law Enforcement. The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The required notification shall be made after the law enforcement agency determines that it will not compromise the investigation.
- Waiver Not Permitted.