Title 11
Criminal Offenses

Chapter 49.3
Identity Theft Protection Act of 2015

R.I. Gen. Laws § 11-49.3-3

§ 11-49.3-3. Definitions.

(a) The following definitions apply to this chapter:

(1) “Breach of the security of the system” means unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information maintained by the municipal agency, state agency, or person. Good-faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system; provided, that the personal information is not used or subject to further unauthorized disclosure.

(2) “Classified data” means any data that is not public (private, sensitive, confidential). Classified data requires additional security controls, such as access restrictions and encryption. Classified data includes personally identifiable information (PII), personally identifiable health information (PHI), or federal tax information (FTI).

(3) “Cybersecurity incident” means unauthorized access that could jeopardize the confidentiality, integrity, or availability of critical information systems and critical infrastructure systems (i.e., first responder networks, water, energy).

(4) “Encrypted” means the transformation of data through the use of a one hundred twenty-eight (128) bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Data shall not be considered to be encrypted if it is acquired in combination with any key, security code, or password that would permit access to the encrypted data.

(5) “Health insurance information” means an individual’s health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer to identify the individual.

(6) “Medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional or provider.

(7) “Municipal agency” means any department, division, agency, commission, board, office, bureau, authority, quasi-public authority, or school, fire, or water district within Rhode Island, other than a state agency, and any other agency that is in any branch of municipal government and exercises governmental functions other than in an advisory nature.

(8) “Owner” means the original collector of the information.

(9) “Person” shall include any individual, sole proprietorship, partnership, association, corporation, joint venture, business, legal entity, trust, estate, cooperative, or other commercial entity.

(10) “Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and the data elements are not encrypted or are in hard copy, paper format:

(i) Social security number;

(ii) Driver’s license number, Rhode Island identification card number, or tribal identification number;

(iii) Account number, credit or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an individual’s financial account;

(iv) Medical or health insurance information; or

(v) E-mail address with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial account.

(11) “Remediation service provider” means any person who or that, in the usual course of business, provides services pertaining to a consumer credit report including, but not limited to, credit report monitoring and alerts, that are intended to mitigate the potential for identity theft.

(12) “State agency” means any department, division, agency, commission, board, office, bureau, authority, or quasi-public authority within Rhode Island; either branch of the Rhode Island general assembly or an agency or committee thereof; the judiciary; or any other agency that is in any branch of Rhode Island state government and that exercises governmental functions other than in an advisory nature.

(b) For purposes of this chapter, personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

(c) For purposes of this chapter, “notice” may be provided by one of the following methods:

(1) Written notice;

(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001; or

(3) Substitute notice, if the municipal agency, state agency, or person demonstrates that the cost of providing notice would exceed twenty-five thousand dollars ($25,000), or that the affected class of subject persons to be notified exceeds fifty thousand (50,000), or the municipal agency, state agency, or person does not have sufficient contact information. Substitute notice shall consist of all of the following:

(i) E-mail notice when the municipal agency, state agency, or person has an e-mail address for the subject persons;

(ii) Conspicuous posting of the notice on the municipal agency’s, state agency’s, or person’s website page, if the municipal agency, state agency, or person maintains one; and

(iii) Notification to major statewide media.

History of Section.
P.L. 2015, ch. 138, § 2; P.L. 2015, ch. 148, § 2; P.L. 2023, ch. 375, § 1, effective June 27, 2023.