The bill amends Chapter 19-14 of the General Laws by introducing two new sections aimed at enhancing information security for licensed activities. Section 19-14-35 requires each licensee to develop, implement, and maintain a comprehensive information security program that is documented in accessible parts and tailored to the licensee's size, complexity, nature of activities, and sensitivity of customer information. This program must include administrative, technical, and physical safeguards, designate a qualified individual for oversight, and conduct regular risk assessments. It also specifies measures for protecting customer information, such as encryption, access controls, incident response plans, and ongoing testing of security measures.

Section 19-14-36 establishes a notification requirement for licensees in the event of a security event, mandating that they notify the director or the director's designee as promptly as possible, but no later than three business days after determining that a security event has occurred that could materially harm consumers or the licensee's operations. The notification must include details about the nature of the compromised data, the number of affected consumers, and any remediation efforts being undertaken. Additionally, it allows for initial delays in notification if law enforcement determines that public disclosure would impede a criminal investigation or harm national security. The bill clarifies that its provisions do not apply to regulated institutions or their subsidiaries that are subject to federal bank holding company laws and regulations, aiming to enhance the security and confidentiality of customer information held by licensed financial institutions.