The Rhode Island Identity Theft Protection Act of 2015

The Rhode Island Identity Theft Protection Act (ITPA) is a Rhode Island data privacy and data security law. The Rhode Island Identity Theft Protection Act requires certain entities that collect and disclose personal information about Rhode Island residents, to develop risk-based information security programs and practices; and to provide for notification to affected individuals in the event of a security breach.

What Requirements Does the Rhode Island Identity Theft Protection Act of 2015 Impose?

The Rhode Island Identity Theft Protection Act of 2015 requires that state agencies, municipal agencies, and individuals, that:

  • Store, collect, process, maintain, acquire, use, own or license personal information, of
  • A Rhode Island resident,

implement and maintain a risk-based information security program to prevent breaches of their security systems. 

Under the Rhode Island Identity Theft Protection Act, the risk-based information security program must:

  • Contain reasonable security procedures and practices appropriate to the organization’s size and scope; the nature of the information; and the purpose for which the information was collected, in order to
  • Protect the personal information from unauthorized access, use, modification, destruction, or disclosure, AND to
  • Preserve the confidentiality, integrity, and availability of the personal information.

In addition, under the Rhode Island Identity Theft Protection act, personal information must be destroyed in a secure manner, using techniques such as shredding, pulverization, incineration, or erasure. 

The Rhode Island Identity Theft Protection Act of 2015 also requires that state agencies, municipal agencies, and individuals, that disclose personal information about a Rhode Island resident to a nonaffiliated third party, must:

  • Require, by contract, that the third party implement and maintain reasonable security procedures, so as to
  • Protect the personal information from unauthorized access, use, modification, destruction, and disclosure.

What is “Personal Information”?

Under the Rhode Island Identity Theft Protection Act of 2015, personal information is an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and the data elements are not encrypted or are in hard copy paper format:

  • Social Security number;
  • Driver’s license number, Rhode Island identification card number, or tribal identification number;
  • Account number or credit or debit card number, in combination with any required security code, access code, password, or PIN that would permit access to an individual’s financial account;
  • Medical information, including:
    • Any information regarding an individual’s medical history, mental or physician condition, or medical treatment or diagnosis by a healthcare professional or provider;
    • Health insurance information, including an individual’s health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual; or
    • Email address with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial account.

What Constitutes a Breach of the Security System?

Under the Rhode Island Identity Theft Protection Act, a breach is an unauthorized access or acquisition of unencrypted computerized data information that compromises the security, confidentiality, or integrity of personal information maintained by a municipal agency, state agency, or person.

Must Notification be Provided in the Event of a Breach?

Notification must be provided of any disclosure of personal information, or any breach of the security of the system, that poses a significant risk of identity theft to any Rhode Island resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity.

Notification to individuals must be made in the most expedient time possible, but no later than forty-five (45) calendar days after confirmation of the breach.


In the event that more than five hundred (500) Rhode Island residents are to be notified, the municipal agency, state agency, or person (as applicable) must notify the Rhode Island attorney general and the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected people.

What is the Penalty for Violation of the Rhode Island Identity Theft Protection Act?

Each reckless violation of the law is a civil violation, punishable by up to $100 per record.  Each knowing and willful violation of the law is a civil violation, punishable by up to $20 per record. When the Rhode Island Attorney General has reason to believe that the law has been violated and that proceedings would be in the public interest, the Attorney General may bring an action in the name of the state, against the business or person in violation.

Does the Rhode Island Identity Theft Protection Act contain a HIPAA Safe Harbor provision?

Yes. Under the Rhode Island Identity Theft Protection Act, a provider of healthcare, health care service plan, health insurer, or a covered entity subject to the HIPAA Privacy and Security Rules, is deemed to be in compliance with the Rhode Island Identity Theft Protection Act.