The bill amends Chapter 19-14 of the General Laws by introducing two new sections aimed at enhancing information security for licensed activities. Section 19-14-35 requires each licensee to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards appropriate to the licensee's size, complexity, nature and scope of activities, and the sensitivity of customer information. This program must include the designation of a qualified individual responsible for oversight, regular risk assessments to identify and mitigate risks to customer information, and specific measures for protecting customer information, such as encryption and incident response plans.

Section 19-14-36 establishes a notification requirement for licensees in the event of a security event, mandating that they notify the director or the director's designee as promptly as possible, but no later than three business days from the determination of a security event that meets certain criteria. The notification must include details about the nature of the compromised data, the number of affected consumers, and any remediation efforts being undertaken. The section also outlines protocols for law enforcement regarding the handling of security events, allowing for initial delays in notification if necessary. Importantly, the bill clarifies that its provisions do not apply to regulated institutions or their subsidiaries that are subject to federal bank holding company laws and regulations, aiming to enhance the security and confidentiality of customer information held by licensed financial institutions.