Resources 2017-10-04T14:56:45+00:00


Rhode Island Department of Attorney General

Rhode Island State/Federal Cyber Disruption Response (PDF)
Suggested call order to report cyber intrusions for investigation.

The Rhode Island State Police (RISP) Computer Crimes Unit (CCU) is a multi-agency unit that prevents, interdicts, investigates and prosecutes individuals who use the Internet to commit crimes.

On June 26, 2015, Rhode Island Governor Gina Raimondo signed the Rhode Island Identity Theft Protection Act of 2015 (“SB134”) into law. SB134 substantially revises the prior statute by expanding the definition of “personal information,” requiring notification to the Rhode Island Attorney General, and mandating a risk-based information security program. The law took effect on June 26, 2016.

Personal Information: SB134 amends the definition of personal information to include Social Security numbers; driver’s license numbers, Rhode Island identification card numbers, or tribal identification numbers; health insurance and medical information; and email addresses combined with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial accounts.

Security Breach: The law broadens the definition of a “breach of the security system” to include “unauthorized access or acquisition of unencrypted computerized data,” and it requires an entity to use a 128-bit or higher algorithmic encryption process in order to be considered “encrypted data” for purposes of breach notification under the law.

Notification: The law requires notification to the Rhode Island Attorney General for breaches involving 500 or more Rhode Island residents. The amendments also require Rhode Island consumers to be notified of a breach within 45 calendar days from confirmation of the breach. Each reckless violation of Rhode Island’s revised statute, including the failure to notify, can result in a penalty of $100 per record, while knowing and willful violations could reach $200 per record.

Risk-Based Information Security Program: SB134 requires entities to “implement a risk- based information security program which contains reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information and the purpose for which the information was collected.” The use of “risk- based information security program” suggests that the Rhode Island legislature expects entities to adopt a risk management plan similar to that currently mandated under the Health Insurance Portability and Accountability Act (HIPAA).