The bill amends Chapter 19-14 of the General Laws by introducing two new sections aimed at enhancing information security for licensed activities. Section 19-14-35 requires each licensee to develop, implement, and maintain a comprehensive information security program that is documented in accessible parts and tailored to the licensee's size, complexity, nature of activities, and sensitivity of customer information. This program must include administrative, technical, and physical safeguards, designate a qualified individual for oversight, conduct risk assessments, and implement security measures such as encryption and access controls. Additionally, it mandates ongoing testing and monitoring of the program, as well as annual compliance reporting to the board of directors or equivalent governing body.

Section 19-14-36 establishes a notification requirement for licensees in the event of a security event, requiring them to notify the director or the director's designee as promptly as possible, but no later than three business days after determining that a security event has occurred that meets specified criteria. The notification must include details about the event, the types of information involved, the estimated number of affected consumers, and the efforts being undertaken to remediate the situation. The section also outlines protocols for law enforcement regarding the handling of security events, allowing for initial delays in notification if necessary. Importantly, the bill clarifies that its provisions do not apply to regulated institutions or their subsidiaries that are subject to federal bank holding company laws and regulations, aiming to enhance the security and confidentiality of customer information held by licensed financial institutions.