The bill amends the "Identity Theft Protection Act of 2015" to enhance the protection of personally identifiable information (PII) for Rhode Island residents. It requires municipal and state agencies, as well as individuals who maintain, acquire, use, or license PII, to implement and maintain a risk-based information security program that meets current best practices of an approved and industry-recognized cybersecurity framework. This program must include reasonable security procedures, programs, and practices tailored to the organization's size and the nature of the information.

Additionally, entities that disclose PII to nonaffiliated third parties must require, by written contract, that those parties and any subcontracted parties implement and maintain reasonable security procedures that are appropriate to the size and nature of the data. Municipal and state agencies are now obligated to provide annual updates to the General Assembly and the Division of Enterprise Technology Strategy and Services (ETSS) or its successor.

The bill introduces stricter notification requirements for data breaches involving PII, mandating that notification be provided to affected individuals and relevant authorities, including the ETSS and major credit reporting agencies, without unreasonable delay. It establishes penalties for violations, including increased fines for reckless or willful breaches, and allows courts to impose additional appropriate sanctions as warranted by the circumstances.

The bill eliminates the definitions for "classified data" and "personal information," while introducing a new definition for "personally identifiable information," which encompasses information that can be used to distinguish or trace an individual's identity. The changes will take effect on July 1, 2025.