The bill amends Chapter 19-14 of the General Laws by introducing two new sections aimed at enhancing information security for licensed activities. Section 19-14-35 requires each licensee to develop, implement, and maintain a comprehensive information security program that is documented in accessible parts and tailored to the licensee's size, complexity, nature of activities, and sensitivity of customer information. This program must include administrative, technical, and physical safeguards, designate a qualified individual to oversee it, and conduct regular risk assessments. The section also outlines specific requirements for protecting customer information, including the use of encryption, access controls, secure development practices, incident response plans, and ongoing testing of security measures.

Section 19-14-36 establishes a notification protocol for licensees in the event of a security event, requiring them to notify the director or the director's designee as promptly as possible, but no later than three business days after determining that a significant security event has occurred. The notification must include details about the event, the types of information involved, the date of the event, the number of consumers affected, and remediation efforts. Additionally, the section allows for an initial delay of up to thirty days in public disclosure of a security event if requested by law enforcement, with potential extensions if necessary. The provisions of this section do not apply to regulated institutions or their subsidiaries that are subject to federal bank holding company laws and regulations. The legislation will take effect immediately upon passage.