The proposed bill amends the "Identity Theft Protection Act of 2015" to enhance the security measures for handling personally identifiable information (PII) of Rhode Island residents. Key insertions include the requirement for municipal and state agencies, as well as entities managing PII, to implement a risk-based information security program aligned with approved cybersecurity frameworks. The bill mandates that these entities protect PII from unauthorized access, manage data access in transit and at rest, and ensure that third parties receiving PII maintain reasonable security procedures. Additionally, it introduces a requirement for annual updates to the General Assembly regarding these security measures. The bill also revises definitions, replacing "personal information" with "personally identifiable information" to broaden the scope of sensitive data and clarifying the conditions under which a breach occurs.

Moreover, the bill increases penalties for violations, raising the maximum penalty for general violations from $100 to $1,000 and for knowing and willful violations from $200 to $2,000. It establishes notification requirements for municipal and state agencies and private entities in the event of a data breach, mandating timely notifications to affected individuals and relevant authorities, including the attorney general. The bill also requires that any municipal or state agency detecting a cybersecurity incident notify the Rhode Island state police within 24 hours, who must then inform the division of enterprise technology strategy and services. The act eliminates the definitions for "classified data" and "personal information," replacing them with a definition for "personally identifiable information," and will take effect upon passage.