The bill amends Chapter 19-14 of the General Laws by introducing two new sections aimed at enhancing information security for licensed activities. Section 19-14-35 mandates that each licensee develop, implement, and maintain a comprehensive information security program tailored to their size, complexity, and the sensitivity of customer information. This program must include administrative, technical, and physical safeguards, designate a qualified individual for oversight, and conduct regular risk assessments. It also specifies requirements for protecting customer information, including encryption, access controls, and incident response plans.

Section 19-14-36 establishes a notification protocol for licensees in the event of a security event, requiring them to notify the director or the director's designee as promptly as possible, but no later than three business days after determining that a security event has occurred. This notification must include details about the nature of the event, the types of information involved, the date of the event, the number of affected consumers, and efforts to remediate the situation. The section also allows for initial delays in notification if requested by law enforcement to avoid impeding a criminal investigation or national security.

The bill clarifies that its provisions do not apply to any regulated institution as defined in section 19-1-1, nor to their subsidiaries or bank holding companies subject to federal bank holding company laws and regulations.