Rhode Island Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business handles personal information belonging to Rhode Island residents, a data breach triggers specific legal obligations under the state's Identity Theft Protection Act of 2015. Codified at R.I. Gen. Laws 11-49.3, the law sets out who must notify, what information triggers notification, the timeline for action, and the penalties for noncompliance.

Rhode Island replaced its original breach notification statute (Chapter 11-49.2) with this more comprehensive framework, which took effect on July 2, 2016. The law applies to any entity that stores, owns, collects, processes, maintains, acquires, uses, or licenses computerized data containing the personal information of Rhode Island residents, regardless of where the entity is located.

This guide covers the full scope of Rhode Island's breach notification requirements, including how they connect to the broader [Rhode Island data privacy laws](/us-laws/data-privacy-laws/rhode-island-data-privacy-laws) framework.

Who Must Comply With Rhode Island's Breach Notification Law

Rhode Island's law applies broadly. Under Section 11-49.3-4, any municipal agency, state agency, or person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information must comply.

The term "person" covers individuals, corporations, businesses, partnerships, associations, and any other legal entity. Businesses based outside Rhode Island are subject to the law if they hold data belonging to Rhode Island residents.

Third-Party Data Holders

When a third party maintains data on behalf of another entity, the third party must notify the data owner or licensee immediately upon discovering a breach. The data owner then bears the responsibility to notify affected individuals and, if applicable, the Attorney General.

Entities With Their Own Security Procedures

Under Section 11-49.3-6, entities that maintain their own information security breach procedures as part of an information privacy or security policy are deemed in compliance with this chapter, as long as those procedures are at least as protective as the state requirements and include notification consistent with the timing requirements.

Entities subject to HIPAA, the Gramm-Leach-Bliley Act, or other federal frameworks with equivalent breach notification requirements may follow those federal procedures instead.

What Triggers Notification

Notification is required when there is unauthorized access to or acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information, and the breach poses a significant risk of identity theft to a Rhode Island resident.

This "risk of identity theft" standard means not every technical unauthorized access automatically triggers notification. The entity must assess whether the nature of the compromised information creates a meaningful risk.

Good Faith Exception

A good faith acquisition of personal information by an employee or agent of the entity does not constitute a breach, provided the data is not used or disclosed in an unauthorized manner.

Personal Information That Triggers the Law

Under Section 11-49.3-3, personal information means an individual's first name or first initial and last name combined with any one or more of the following data elements, when not encrypted:

• Social Security number
• Driver's license number, Rhode Island identification card number, or tribal identification number
• Account number, credit or debit card number, in combination with any required security code, access code, password, or PIN that would permit access to the account
• Medical information (any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional)
• Health insurance information (health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer)
• Email address with any required security code, access code, or password that would permit access to a personal, medical, insurance, or financial account

Rhode Island's inclusion of medical information, health insurance data, and email credentials makes its definition broader than many states. Personal information does not include publicly available information lawfully obtained from federal, state, or local government records.

The 128-Bit Encryption Safe Harbor

Rhode Island is one of few states that specifies a minimum encryption standard in its breach notification law. Under Section 11-49.3-3, "encrypted" means the transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

If personal information was encrypted to this standard at the time of the breach, and the encryption key was not also acquired during the incident, notification is not required.

However, data is not considered encrypted if it was acquired in combination with any key, security code, or password that would permit access. A breach that compromises both the encrypted data and the decryption key triggers full notification obligations.

Practical Implications

This 128-bit threshold means AES-128, AES-256, and similar modern algorithms all qualify. Weaker or proprietary encryption methods that do not meet the 128-bit standard would not provide safe harbor protection.

Notification Timeline: 45 Days and 30 Days

Rhode Island imposes two different deadlines depending on the type of entity involved.

Private Entities: 45 Calendar Days

For persons (businesses, corporations, and other non-governmental entities), notification must be provided no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements.

Government Agencies: 30 Calendar Days

State and municipal agencies face a shorter deadline of 30 calendar days after the same confirmation and ascertainment threshold.

When the Clock Starts

The deadline runs from the date the entity both confirms a breach occurred and can ascertain the details needed for the notification (who was affected, what data was involved). The entity may take reasonable time to investigate, but must not use investigation as a pretext for delay.

Law enforcement may request a delay if notification would impede a criminal investigation. Once law enforcement determines that notification will no longer compromise the investigation, the countdown resumes.

Who Must Be Notified

Affected Individuals

Every Rhode Island resident whose personal information was or is reasonably believed to have been acquired by an unauthorized person or entity must receive individual notification.

Attorney General and Credit Reporting Agencies (500+ Threshold)

Under Section 11-49.3-4, when 500 or more Rhode Island residents must be notified, the entity must also notify the Rhode Island Attorney General and the major consumer credit reporting agencies (Equifax, Experian, and TransUnion). The notice must include the timing, content, and distribution of the consumer notices and the approximate number of affected individuals.

Methods of Notification

Rhode Island permits several notification methods:

• Written notice sent to the individual's last known mailing address
• Electronic notice, if consistent with the federal E-SIGN Act (15 U.S.C. 7001 et seq.)
• Substitute notice, if the entity demonstrates that the cost of individual notice exceeds $25,000, the affected population exceeds 50,000 residents, or the entity does not have sufficient contact information. Substitute notice requires all three of: email notice to available addresses, conspicuous posting on the entity's website, and notification to statewide media.

Required Content of the Notification

Rhode Island is unusually specific about what the notification must contain. The notice must include:

1. A general description of the incident, including how the breach occurred and the number of affected individuals
2. The type of personal information subject to the breach
3. The date of the breach, estimated date, or date range
4. A description of any remediation services offered, including toll-free numbers and websites to contact credit reporting agencies and the Attorney General
5. A description of the consumer's ability to file a police report
6. How to request a security freeze
7. Information that fees may be required to be paid to consumer reporting agencies for security freezes

Penalties for Noncompliance

Under Section 11-49.3-5, Rhode Island imposes per-record civil penalties:

• Reckless violations: Up to $100 per record
• Knowing and willful violations: Up to $200 per record

There is no statutory aggregate cap on these penalties. For a breach affecting thousands of records, exposure can grow rapidly.

Enforcement Authority

Only the Rhode Island Attorney General can enforce this statute. When the AG has reason to believe a violation has occurred and that proceedings would be in the public interest, the AG may bring an action in the name of the state.

No Private Right of Action

Rhode Island's breach notification law does not create a private right of action. Individuals cannot sue under this statute for failure to notify. However, affected individuals may pursue claims under other legal theories, such as negligence or the state's Deceptive Trade Practices Act, depending on the circumstances.

Information Security Program Requirement

Rhode Island goes beyond notification alone. Under Section 11-49.3-2, any municipal or state agency, or person, that stores, collects, processes, maintains, acquires, or uses personal information must implement and maintain a risk-based information security program with reasonable security procedures and practices appropriate to the size of the entity, the nature of the data stored, and the purpose for collecting the information.

This requirement applies independently of whether a breach occurs. It means Rhode Island can hold entities accountable not only for failing to notify after a breach, but also for failing to maintain adequate security to prevent breaches in the first place.

More Rhode Island Laws

• Rhode Island Recording Laws
• Rhode Island Recording Laws
• Rhode Island Recording Laws
• Rhode Island Recording Laws
• Rhode Island Recording Laws
• Rhode Island Data Privacy Laws
• Rhode Island Recording Laws
• Rhode Island Recording Laws

Sources and References

This article draws from the following official Rhode Island government sources:

• R.I. Gen. Laws Chapter 11-49.3 (Identity Theft Protection Act of 2015) - Full text of Rhode Island's data breach and identity theft protection statute
• Section 11-49.3-3 (Definitions) - Definitions including personal information, encrypted, and medical information
• Section 11-49.3-4 (Notification of Breach) - Full breach notification requirements and timelines
• Section 11-49.3-5 (Penalties for Violation) - Penalty provisions for reckless and willful violations
• Rhode Island Attorney General: Data Breach Notifications - AG breach notification portal

This article provides general legal information about Rhode Island data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Rhode Island for guidance specific to your situation.