The bill seeks to amend the "Identity Theft Protection Act of 2015" by introducing new definitions and updating the requirements for notification in the event of a data breach. It defines "Classified data" as non-public data that requires additional security controls and "Cybersecurity incident" as unauthorized access that could compromise critical information systems. The bill shortens the notification timeline from 45 to 15 days after a breach is confirmed and requires notification to a union representative when applicable. Notifications can be delayed if they would impede a criminal investigation, but must be issued as soon as they no longer pose a risk. The notification must include specific details about the breach and information on remediation services.

Additionally, the bill mandates that municipal and state agencies report cybersecurity incidents to the Rhode Island state police within 24 hours of detection, with penalties for non-compliance. It also specifies that remediation services for identity theft victims must include a minimum of five years of coverage for adults and extend until age 18 plus two years for minors. The bill is set to take effect immediately upon passage.