The bill proposes amendments to the "Identity Theft Protection Act of 2015," introducing new definitions and updating the notification requirements in the event of a data breach. It defines "Classified data" as non-public data requiring additional security controls, and "Cybersecurity incident" as unauthorized access that could compromise critical information systems. The definition of "Breach of the security of the system" is updated to mean unauthorized access or acquisition of unencrypted data that compromises personal information security, excluding good-faith acquisitions by employees not leading to further unauthorized disclosure.

Notification requirements are tightened, reducing the timeframe for notifying affected Rhode Island residents from 45 to 30 calendar days after confirming a data breach that poses a significant risk of identity theft. Entities must also notify the attorney general and major credit reporting agencies if more than 500 residents are affected. The bill outlines the content required in notifications, mandates state and municipal agencies to provide remediation services, and introduces a 24-hour notification requirement to the Rhode Island state police for cybersecurity incidents. Non-compliance may result in liability, and the bill will be effective upon passage.