The bill amends the "Identity Theft Protection Act of 2015" to enhance the protection of personally identifiable information (PII) for Rhode Island residents. It requires municipal and state agencies, as well as individuals who maintain, acquire, use, own, or license PII, to implement and maintain a risk-based information security program that meets current best practices of an approved and industry-recognized cybersecurity framework. This program must include reasonable security procedures, programs, and practices tailored to the organization's size and the nature of the information.

Entities disclosing PII to nonaffiliated third parties must require, by written contract, that those parties and any subcontracted parties implement and maintain reasonable security procedures that are appropriate to the size and nature of the data. Municipal and state agencies are now obligated to provide annual updates to the General Assembly and the division of enterprise technology strategy and services (ETSS) or its successor.

The bill revises notification requirements for data breaches involving PII, mandating that any entity that discloses PII must notify affected individuals and relevant authorities of any breach that poses a significant risk of identity theft. The notification must be made to the attorney general, the ETSS or its successor, and major credit reporting agencies. Additionally, the state police must be notified within 24 hours of a cybersecurity incident, and they are required to inform the ETSS or its successor within the same timeframe. Enhanced notification details are required, including a description of the incident, the date it occurred, and any mitigating actions taken.

The bill raises the penalties for violations, including civil penalties for reckless or willful breaches. It eliminates the definitions for "classified data" and "personal information," while introducing a new definition for "personally identifiable information." These amendments will take effect on July 1, 2025.