Breach reporting to the Attorney General and the major credit reporting agencies is required if more than 500 Rhode Island residents are to be notified of a breach. Specific notification details are required.

If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside

In addition to penalties of up to $200 per record for violations involving breach notification and reporting, the Attorney General may bring an action in the name of the state, against the business or person in violation. Violations of the Safe Destruction of Documents Containing Personal Information law could have civil penalties of $500 per violation, up to $50,000.

Organizations must contract with Vendors to whom the Organization discloses personal information. Organizations and Vendors are required to have in place security procedures and practices to protect personal information. Organizations and Vendors in the business of destroying records must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable. Vendors must ensure the protection of personal information during disposal.

If a Vendor is breached, they should notify the Organization. The Organization will be responsible to complete the reporting and consumer notification.