Rhode Island Data Breach Notification Package

(Letter Templates to the Rhode Island Attorney General & Affected Consumers)

[// GUIDANCE: This package contains two fully-compliant notification letters—one to the Rhode Island Attorney General (“AG Letter”) and one to affected Rhode Island residents (“Consumer Letter”). Complete all bracketed placeholders and review statutory cross-references before issuance. Rhode Island requires notice within 45 days of confirmation of a breach involving “personal information.” See R.I. Gen. Laws § 11-49.3-3 (2024).]

Table of Contents

1. Key Rhode Island Statutory Requirements
2. Customization Checklist
3. AG Letter Template
4. Consumer Letter Template

1. Key Rhode Island Statutory Requirements

• Timing: Written notice to affected individuals and the RI AG must be sent no later than 45 calendar days after confirmation of a breach.
• AG Notice Threshold: Required when the breach involves > 500 Rhode Island residents.
• Mandatory Content (Consumers):
– Incident description (general, non-technical).
– Breach date & discovery date (or estimated range).
– Categories of personal information compromised.
– Remedial actions taken by the organization.
– Steps the individual can take to protect themselves, including toll-free numbers for the three major consumer reporting agencies and the FTC.
– Offer of 24 months of identity theft protection services at no cost if Social Security numbers, driver’s license numbers, or RI state-ID numbers were affected.
• Prohibited Content: Do not include the nature of any ongoing law-enforcement investigation if disclosure would impede it.
• Form of Notice: Written notice by first-class mail unless the resident has validly elected e-mail notice.

[// GUIDANCE: For a complete statutory checklist, see R.I. Gen. Laws §§ 11-49.3-2, -3, -4.]

2. Customization Checklist

1. Insert company legal name, address, and point-of-contact.
2. Confirm breach confirmation date ➔ calculate 45-day deadline.
3. Verify total number of impacted RI residents.
4. Complete narrative of incident (high-level, non-technical).
5. Identify precise categories of personal information exposed.
6. Secure vendor contract for 24-month credit-monitoring service (if required) and insert enrollment instructions.
7. Confirm whether law-enforcement agency has requested a brief delay; if so, include required certification language.
8. Final legal review for privilege, accuracy, and completeness.

3. Rhode Island Attorney General Notification Letter

(First-Class Mail or Courier – CONFIDENTIAL)

[Letterhead of Organization]
[Date]

Hon. [Name of AG or “Data Breach Unit”]
Office of the Rhode Island Attorney General
150 South Main Street
Providence, RI 02903

Re: Notice of Data Security Breach – [Organization Name] – [Incident Name/Reference]

Dear Attorney General [Last Name]:

1. Introduction
   Pursuant to R.I. Gen. Laws § 11-49.3-3, [Organization Name], a [state of incorporation] [corporate form], hereby provides notice of a data security breach involving the personal information of Rhode Island residents.

2. Breach Overview
   • Date(s) of Breach: [Insert date range or “On or about” statement].
   • Date Breach Confirmed: [Insert date].
   • Discovery Method: [Brief description].
   • Number of Affected RI Residents: [Insert total] (exceeds 500 individuals).

3. Incident Description
   [Provide concise, non-technical narrative of how the breach occurred, e.g., “On [date], an unauthorized third party gained access to an employee’s e-mail account through a phishing attack…”].

4. Categories of Personal Information Involved
   Check all that apply:
   ☐ Social Security numbers
   ☐ Driver’s license or Rhode Island identification card numbers
   ☐ Financial account numbers with access codes
   ☐ Medical or health-insurance information
   ☐ [Other PI as defined in the statute]

5. Remediation & Mitigation Steps
   • Containment: [e.g., “Disabled compromised credentials and isolated affected servers”].
   • Forensic Investigation: [Firm name] engaged on [date].
   • Security Enhancements Implemented: [Multi-factor authentication, system patching, etc.].
   • Credit Monitoring: Two-year identity-theft protection service offered to affected residents at no cost (details in consumer letter).

6. Law-Enforcement Coordination
   [If applicable] On [date], [Organization] notified [Law-Enforcement Agency] and is cooperating in the ongoing investigation. [Agency] requested that certain technical details remain confidential to avoid impeding the investigation.

7. Consumer Notification & Timing
   Individual notification letters will be mailed beginning on [mailing start date] and completed no later than [end date], within the 45-day statutory period.

8. Contact Information
   Please direct any follow-up questions to:

[Name, Title]
[Organization Name]
[Street Address]
[City, State ZIP]
Direct: [Phone] | E-mail: [Email]

Respectfully submitted,

[Name]
[Title]
[Organization Name]

4. Rhode Island Consumer Notification Letter

(First-Class Mail – IMPORTANT INFORMATION ENCLOSED)

[Letterhead of Organization]
[Date]

[Recipient Name]
[Street Address]
[City, State ZIP]

Re: NOTICE OF DATA BREACH

Dear [Recipient Name]:

1. What Happened?
   On [date], we discovered that an unauthorized third party accessed certain [Organization Name] systems. After a thorough investigation completed on [confirmation date], we determined that your personal information may have been compromised.

2. What Information Was Involved?
   Based on our investigation, the following information related to you was exposed:
   • [e.g., Social Security number]
   • [Driver’s license or RI ID number]
   • [Financial account information]

3. What We Are Doing
   • We immediately secured our systems, engaged a leading cybersecurity firm, and notified law enforcement.
   • We are enhancing our network security, including [describe enhancements].
   • At no cost to you, we are offering 24 months of credit monitoring and identity theft protection through [Vendor Name]. This service includes: credit monitoring of all three credit bureaus, $1 million identity theft insurance, and fraud resolution support. To enroll, please follow the instructions in Section 6 below.

4. What You Can Do
   We recommend that you:
   • Enroll in the complimentary credit-monitoring service.
   • Review your account statements and credit reports for unauthorized activity.
   • Consider placing a fraud alert or security freeze on your credit file (see contact information below).

5. Other Important Information
   You can obtain additional information about identity theft from the Federal Trade Commission (“FTC”):
   • Federal Trade Commission, 600 Pennsylvania Ave., NW, Washington, DC 20580
   • 1-877-ID-THEFT (877-438-4338) | www.identitytheft.gov

Credit Reporting Agencies (toll-free numbers):
• Equifax: 1-800-349-9960
• Experian: 1-888-397-3742
• TransUnion: 1-888-909-8872

6. How to Enroll in Complimentary Credit Monitoring
   [Detailed step-by-step enrollment instructions, including redemption code and deadline (minimum 90 days from letter date).]

7. For More Information
   If you have questions, please call our dedicated hotline at [toll-free number] between [business hours], or e-mail us at [e-mail address].

We regret any inconvenience or concern this incident may cause and are committed to protecting your information.

Sincerely,

[Name]
[Title]
[Organization Name]
[Street Address] | [City, State ZIP] | [Phone]

[// GUIDANCE:
• Retain proof of mailing (e.g., USPS Certificate of Mailing).
• Keep copies of all notices for at least four years in case of regulatory inquiry or private litigation.
• If more than 1,000 Rhode Island residents are notified, you must also notify national consumer reporting agencies.
• Review insurance policies (cyber, professional liability) for notice and cooperation obligations.]