State notification register
Rhode Island data breach notification law: within 45 calendar days after confirmation of the breach (30 days for government agencies).
Rhode Island's breach-notification obligations are set by R.I. Gen. Laws Ch. 11-49.3 (Identity Theft Protection Act of 2015). This page summarises the deadline to notify affected residents, the attorney general notification threshold, whether a private right of action exists, and the penalties for late or missing notification. Every provision is cited to its source statute and was verified in June 2026.
Individual deadline
45 days
From discovery / determination
AG notification
500
500 or more Rhode Island residents
Private action
No
No direct individual lawsuits
Statute
RI
R.I. Gen. Laws Ch. 11-49.3
Section RI.1
What the statute requires
Under R.I. Gen. Laws Ch. 11-49.3, the Identity Theft Protection Act of 2015, a business that owns or licenses computerized personal information of Rhode Island residents must notify affected individuals within 45 calendar days after confirmation of the breach (30 days for government agencies).
Attorney general or state-agency notification is 500 or more rhode island residents. Where required, the timeline is: simultaneously with individual notice.
Section RI.2
What triggers notification
Like most US state statutes, notification is triggered by the unauthorized acquisition of unencrypted, unredacted computerized personal information that compromises its security, confidentiality, or integrity. Two concepts recur across the states and apply here.
Encryption safe harbor
Personal information that was encrypted, and where the encryption key was not also acquired, generally does not trigger notification. A stolen device with full-disk encryption is typically a non-event; an unencrypted record, or an encrypted record where the key was exposed alongside it, is a reportable breach.
Who must be notified
- [1] Affected Rhode Island residents: 45 days
- [2] Attorney general / state agency: 500 or more rhode island residents
- [3] Consumer reporting agencies where the breach is large-scale
Section RI.3
Penalties and enforcement
Up to $100 per record (reckless) or $200 per record (knowing and willful), no aggregate cap.
Private right of action: No. No direct individual lawsuits; AG holds exclusive enforcement authority.
Primary source:Rhode Island statute R.I. Gen. Laws Ch. 11-49.3 (Identity Theft Protection Act of 2015); verified June 2026 against state statutory summaries and the underlying statute text.
Section RI.4
How this compares to the strictest states
The strictest US deadlines are 30 days (California, Florida, Washington, Colorado, Maine, New York, New Jersey). The majority of states use a qualitative "without unreasonable delay" standard with no fixed day cap. Here is where Rhode Island sits.
Rhode Island imposes a fixed 45-day deadline. The strictest states cut this to 30 days, so Rhode Island sits 15 days behind the tightest regimes.
Cross-references
Index / All 50 states + DC
→The full register: deadline and AG threshold for every state.
Schedule 09 / Notification laws
→Global frameworks and the cost of notification.
01 / Breach cost calculator
→Estimate your Rhode Island breach exposure, including notification cost.
Regulation / GDPR
→The 72-hour clock and 4%-of-revenue fine framework.
Cost / Notification
→Why notification is roughly 6% of total breach cost.
Schedule F / Reference Q&A
Frequently Asked Questions
Primary source:Rhode Island data breach notification statute (R.I. Gen. Laws Ch. 11-49.3). Provisions verified June 2026 against state statutory summaries (Recording Law US data-privacy series, 2026 edition), the IAPP US State Data Breach Notification Chart, Foley & Lardner's chart, and the underlying statute text.