DBN Statutes – Rhode Island

Data Breach Notification Statutes – Rhode Island

Last Updated: 02/28/2024

  • Applicable Statute: R.I. Gen Laws §§ 11-49.3-2 to 11-49.3-6          
  • Attorney General Notice Required: Yes – must notify Attorney General if more than 500 resident are notified.
    • Timing : Notification to the attorney general shall be made without delaying notice to affected Rhode Island residents.
    • Method: Not specified (Mailing address is RI Office of the Attorney General 150 South Main Street Providence, RI 02903)
    • Content: A sample copy of the consumer notification letter must be submitted to the Attorney General, along with the approximate number of affected individuals.
  • Consumer Notice Requirements:
    • Timing: Most expedient time possible but no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to provide notice.
    • Method: Written notice; or electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-Sign Act).
    • Content: Notification must include the following information, to the extent known:
      • A general and brief description of the incident, including how the security breach occurred and the number of affected individuals;
      • The type of information that was subject to the breach;
      • Date of breach, estimated date of breach, or the date range within which the breach occurred;
      • Date that the breach was discovered;
      • A clear and concise description of any remediation services offered, including toll free numbers and websites to contact: (i) credit reporting agencies; (ii) remediation service providers; and (iii) the Attorney General; and
      • A clear and concise description of the resident’s ability to file or obtain a police report; how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze; and that fees may be required to be paid to the consumer reporting agencies
  • Consumer Reporting Agency Obligations: If more than five hundred (500) Rhode Island residents are affected, major credit reporting agencies are to be notified as to the timing, content, and distribution of the notices and the approximate number of affected individuals.
  • Encryption Safe Harbor: Statute does not apply to encrypted information.
  • Potential Penalties:  Violations may result in civil penalties and other remedies. Reckless violations of the statute may result in penalties up to $100 per record. Knowing and willful violations may be penalized up to $200 per record.
Please Note: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience; Klinedinst PC and its attorneys do not recommend or endorse the contents of the third-party sites. Readers of this website should contact an attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, Klinedinst PC or its attorneys. Content included on this site is subject to change and users should note the date of last update when reviewing such contents. The content is provided "as is;" no representations are made that the content is error-free. Klinedinst PC has offices in several US states but does not practice law where its attorneys are not licensed. While this website refers to the laws of all 50 states, Klinedinst PC does not practice law in a several such states and visitors of this website are put on notice that neither Klinedinst PC, nor its attorneys, are or will provide legal advice for states where its attorneys are not licensed.

Data Breach Notification Statutes

Practice Attorneys


Related Practice Areas



Subscribe to Privacy and Data Security Newsletter

* indicates required