§ 11-49.3-4. Notification of breach.
(a)(1) Any municipal agency, state agency, or person who or that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information shall provide notification as set forth in this section of any disclosure of personal information, or any breach of the security of the system, that poses a significant risk of identity theft to any resident of Rhode Island whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity.
(2) The notification shall be made in the most expedient time possible, subject to the following:
(i) For state and municipal agencies, no later than thirty (30) calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements contained in subsection (d), and shall be consistent with the legitimate needs of law enforcement as provided in subsection (b). In the event that more than five hundred (500) Rhode Island residents are to be notified, the municipal agency or state agency shall notify the attorney general and the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals. Notification to the attorney general and the major credit reporting agencies shall be made without delaying notice to affected Rhode Island residents. Where affected employees are represented by a labor union through a collective bargaining agreement, the employer shall also notify the collective bargaining agent, or designee, of such breaches.
(ii) For persons subject to subsection (a)(1), which is not a state or municipal agency, no later than forty-five (45) calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements contained in subsection (d), and shall be consistent with the legitimate needs of law enforcement as provided in subsection (b). In the event that more than five hundred (500) Rhode Island residents are to be notified, the person shall notify the attorney general and the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals. Notification to the attorney general and the major credit reporting agencies shall be made without delaying notice to affected Rhode Island residents.
(b) The notification required by this section may be delayed if a federal, state, or local law enforcement agency determines that the notification will impede a criminal investigation. The federal, state, or local law enforcement agency must notify the municipal agency, state agency, or person of the request to delay notification without unreasonable delay. If notice is delayed due to such determination, then, as soon as the federal, state, or municipal law enforcement agency determines and informs the municipal agency, state agency, or person that notification no longer poses a risk of impeding an investigation, notice shall be provided as soon as practicable pursuant to subsection (a)(2). The municipal agency, state agency, or person shall cooperate with federal, state, or municipal law enforcement in its investigation of any breach of security or unauthorized acquisition or use, which shall include the sharing of information relevant to the incident; provided however, that such disclosure shall not require the disclosure of confidential business information or trade secrets.
(c) Any municipal agency, state agency, or person required to make notification under this section and fails to do so is liable for a violation as set forth in § 11-49.3-5.
(d) The notification to individuals must include the following information to the extent known:
(1) A general and brief description of the incident, including how the security breach occurred and the number of affected individuals;
(2) The type of information that was subject to the breach;
(3) Date of breach, estimated date of breach, or the date range within which the breach occurred;
(4) Date that the breach was discovered;
(5) A clear and concise description of any remediation services offered to affected individuals including toll free numbers and websites to contact:
(i) The credit reporting agencies;
(ii) Remediation service providers;
(iii) The attorney general; and
(6) A clear and concise description of the consumer’s ability to file or obtain a police report; how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze; and that fees may be required to be paid to the consumer reporting agencies.
(e) For state and municipal agencies remediation services to be provided and to be described pursuant to the provisions of subsection (d)(5) of this section shall include, but not be limited to:
(1) Individuals eighteen (18) years of age and older, a minimum of five (5) years of coverage; and
(2) Individuals under eighteen (18) years of age, coverage until age eighteen (18), and no less than two (2) years of coverage beyond age eighteen (18).
History of Section.
P.L. 2015, ch. 138, § 2; P.L. 2015, ch. 148, § 2; P.L. 2023, ch. 375, § 1, effective
June 27, 2023.