The bill amends the "Identity Theft Protection Act of 2015" to enhance the protection of personally identifiable information (PII) for Rhode Island residents. It requires municipal and state agencies, as well as individuals who handle PII, to implement and maintain a risk-based information security program that adheres to current best practices of an approved and industry-recognized cybersecurity framework. These entities must ensure the confidentiality, integrity, and availability of PII, and manage access to the data both in transit and at rest. Additionally, third parties that receive PII must be contractually obligated to implement reasonable security procedures that are appropriate to the size and scope of the data they handle.

The bill also mandates that municipal and state agencies provide annual updates to the General Assembly and the division of enterprise technology strategy and services (ETSS) or its successor. It revises definitions related to data breaches and increases penalties for violations, replacing "personal information" with "personally identifiable information" to broaden the definition of sensitive data. Penalties for reckless violations are raised to $1,000 per record, while knowing violations can incur fines of up to $2,000 per record.

Furthermore, the bill introduces new notification requirements for cybersecurity incidents, stipulating that any entity that discloses PII must notify affected individuals and relevant authorities, including the division of enterprise technology strategy and services and major credit reporting agencies, of any breach that poses a significant risk of identity theft. The state police must be notified within twenty-four (24) hours of the initial notification, and the notification must include details about the incident and any mitigating actions taken. The act will take effect upon passage.