§ 11-49.3-3. Definitions.
(a) The following definitions apply to this chapter:
(1) "Breach of the security of the system� means unauthorized access or acquisition of
unencrypted, computerized data information that compromises the security, confidentiality,
or integrity of personal information maintained by the municipal agency, state agency,
or person. Good-faith acquisition of personal information by an employee or agent
of the agency for the purposes of the agency is not a breach of the security of the
system; provided, that the personal information is not used or subject to further
unauthorized disclosure.
(2) "Classified data� means any data that is not public (private, sensitive, confidential).
Classified data requires additional security controls, such as access restrictions
and encryption. Classified data includes personally identifiable information (PII),
personally identifiable health information (PHI), or federal tax information (FTI).
(3) "Cybersecurity incident� means unauthorized access that could jeopardize the confidentiality,
integrity, or availability of critical information systems and critical infrastructure
systems (i.e., first responder networks, water, energy).
(4) "Encrypted� means the transformation of data through the use of a one hundred twenty-eight
(128) bit or higher algorithmic process into a form in which there is a low probability
of assigning meaning without use of a confidential process or key. Data shall not
be considered to be encrypted if it is acquired in combination with any key, security
code, or password that would permit access to the encrypted data.
(5) "Health insurance information� means an individual's health insurance policy number,
subscriber identification number, or any unique identifier used by a health insurer
to identify the individual.
(6) "Medical information� means any information regarding an individual's medical history,
mental or physical condition, or medical treatment or diagnosis by a healthcare professional
or provider.
(7) "Municipal agency� means any department, division, agency, commission, board, office,
bureau, authority, quasi-public authority, or school, fire, or water district within
Rhode Island, other than a state agency, and any other agency that is in any branch
of municipal government and exercises governmental functions other than in an advisory
nature.
(8) "Owner� means the original collector of the information.
(9) "Person� shall include any individual, sole proprietorship, partnership, association,
corporation, joint venture, business, legal entity, trust, estate, cooperative, or
other commercial entity.
(10) "Personal information� means an individual's first name or first initial and last
name in combination with any one or more of the following data elements, when the
name and the data elements are not encrypted or are in hard copy, paper format:
(i) Social security number;
(ii) Driver's license number, Rhode Island identification card number, or tribal identification
number;
(iii) Account number, credit or debit card number, in combination with any required security
code, access code, password, or personal identification number, that would permit
access to an individual's financial account;
(iv) Medical or health insurance information; or
(v) E-mail address with any required security code, access code, or password that would
permit access to an individual's personal, medical, insurance, or financial account.
(11) "Remediation service provider� means any person who or that, in the usual course of
business, provides services pertaining to a consumer credit report including, but
not limited to, credit report monitoring and alerts, that are intended to mitigate
the potential for identity theft.
(12) "State agency� means any department, division, agency, commission, board, office,
bureau, authority, or quasi-public authority within Rhode Island; either branch of
the Rhode Island general assembly or an agency or committee thereof; the judiciary;
or any other agency that is in any branch of Rhode Island state government and that
exercises governmental functions other than in an advisory nature.
(b) For purposes of this chapter, personal information does not include publicly available
information that is lawfully made available to the general public from federal, state,
or local government records.
(c) For purposes of this chapter, "notice� may be provided by one of the following methods:
(1) Written notice;
(2) Electronic notice, if the notice provided is consistent with the provisions regarding
electronic records and signatures set forth in 15 U.S.C. § 7001; or
(3) Substitute notice, if the municipal agency, state agency, or person demonstrates that
the cost of providing notice would exceed twenty-five thousand dollars ($25,000),
or that the affected class of subject persons to be notified exceeds fifty thousand
(50,000), or the municipal agency, state agency, or person does not have sufficient
contact information. Substitute notice shall consist of all of the following:
(i) E-mail notice when the municipal agency, state agency, or person has an e-mail address
for the subject persons;
(ii) Conspicuous posting of the notice on the municipal agency's, state agency's, or person's
website page, if the municipal agency, state agency, or person maintains one; and
(iii) Notification to major statewide media.