The bill amends Chapter 19-14 of the General Laws, specifically adding a new section, 19-14-35, which requires licensees to establish a comprehensive information security program. This program must be documented and include administrative, technical, and physical safeguards tailored to the licensee's specific circumstances. Key definitions are provided for terms such as "customer," "customer information," and "security event," which help clarify the responsibilities of licensees in protecting customer data. The bill also mandates that licensees designate a qualified individual to oversee the program, conduct risk assessments, and implement necessary safeguards, with a strong emphasis on encryption and secure development practices.

Additionally, the bill introduces new requirements for the timely disposal of customer information, mandates periodic reviews of data retention policies, and requires annual penetration testing and vulnerability assessments. Licensees must also establish a written incident response plan and report annually on the status of their information security programs. A new section, 19-14-36, is added to outline the obligations of licensees to notify the director of any security events within three business days, including details about the event and any remediation efforts. Overall, the legislation aims to enhance the security and integrity of customer information held by licensed financial institutions, ensuring they are proactive in managing information security risks.