Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- up to $200 per record

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting to the Attorney General and the major credit reporting agencies is required if more than 500 Rhode Island residents are to be notified of a breach.
  • Specific notification details are required.
  • If a Vendor is breached, they should notify the Organization. The Organization will be responsible to complete the reporting and consumer notification.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Organizations must contract with Vendors to whom the Organization discloses personal information.
  • Organizations and Vendors are required to have in place security procedures and practices to protect personal information.
  • Organizations and Vendors in the business of destroying records must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable.
  • Vendors must ensure protection of the personal information during disposal.
  • In addition to penalties of up to $200 per record for violations involving breach notification and reporting, the Attorney General may bring an action in the name of the state, against the business or person in violation.
  • Violations of the Safe Destruction of Documents Containing Personal Information law could have civil penalties of $500 per violation, up to $50,000.
Statutes and Laws
  • RI Gen L §§ 11-49.3-1 – 11-49.3-6  Identity Theft Protection Act

    RI Gen L § 6-52-2  Safe Destruction of Documents Containing Personal Information

BAck to map