Rhode Island General Laws Title 11. Criminal Offenses § 11-49.3-3. Definitions

(1) “Breach of the security of the system” means unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information maintained by the municipal agency, state agency, or person.  Good-faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system;  provided, that the personal information is not used or subject to further unauthorized disclosure.

(2) “Encrypted” means the transformation of data through the use of a one hundred twenty-eight (128) bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key.  Data shall not be considered to be encrypted if it is acquired in combination with any key, security code, or password that would permit access to the encrypted data.

(3) “Health insurance information” means an individual's health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer to identify the individual.

(4) “Medical information” means any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional or provider.

(5) “Municipal agency” means any department, division, agency, commission, board, office, bureau, authority, quasi-public authority, or school, fire, or water district within Rhode Island, other than a state agency, and any other agency that is in any branch of municipal government and exercises governmental functions other than in an advisory nature.

(6) “Owner” means the original collector of the information.

(7) “Person” shall include any individual, sole proprietorship, partnership, association, corporation, joint venture, business or legal entity, trust, estate, cooperative, or other commercial entity.

(8) “Personal information” means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name and the data elements are not encrypted or are in hard copy, paper format:

(9) “Remediation service provider” means any person who or that, in the usual course of business, provides services pertaining to a consumer credit report including, but not limited to, credit report monitoring and alerts, that are intended to mitigate the potential for identity theft.

(10) “State agency” means any department, division, agency, commission, board, office, bureau, authority, or quasi-public authority within Rhode Island;  either branch of the Rhode Island general assembly or an agency or committee thereof;  the judiciary;  or any other agency that is in any branch of Rhode Island state government and that exercises governmental functions other than in an advisory nature.

(i) Written notice;

(ii) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001;  or

(iii) Substitute notice, if the municipal agency, state agency, or person demonstrates that the cost of providing notice would exceed twenty-five thousand dollars ($25,000), or that the affected class of subject persons to be notified exceeds fifty thousand (50,000), or the municipal agency, state agency, or person does not have sufficient contact information.  Substitute notice shall consist of all of the following: