The bill amends the "Identity Theft Protection Act of 2015" to enhance the protection of personally identifiable information (PII) for Rhode Island residents. It requires municipal and state agencies, as well as individuals who maintain, acquire, use, or license PII, to implement and maintain a risk-based information security program that aligns with current best practices of an approved and industry-recognized cybersecurity framework. This program must include reasonable security procedures, programs, and practices tailored to the organization's size and the nature of the information.

Entities that disclose PII to nonaffiliated third parties must ensure, through written contracts, that those parties implement and maintain reasonable security measures appropriate to the size and nature of the data. Additionally, municipal and state agencies are required to provide annual updates to the General Assembly and the Division of Enterprise Technology Strategy and Services (ETSS) or its successor.

The bill introduces stricter notification requirements for data breaches involving PII, mandating that any entity that experiences a breach must notify the affected individuals and the ETSS or its successor, as well as major credit reporting agencies, without unreasonable delay. Specifically, the state police must be notified within twenty-four (24) hours of the initial notification of a cybersecurity incident, and they must inform the ETSS or its successor within the same timeframe. The notification must include details about the incident, such as a description, the date it occurred, any mitigating actions taken, and notifications to regulatory or federal entities.

The bill raises penalties for violations and clarifies that compliance with existing security breach procedures can satisfy the new notification requirements, provided they meet or exceed the amended act's standards. These changes will take effect on July 1, 2025.