The bill amends the "Identity Theft Protection Act of 2015" to enhance the protection of personally identifiable information (PII) for Rhode Island residents. It requires municipal and state agencies, as well as individuals who handle PII, to implement and maintain a risk-based information security program that adheres to current best practices of an approved and industry-recognized cybersecurity framework. The bill mandates that these entities must not retain personally identifiable information longer than necessary and must securely destroy it when it is no longer needed, following recognized sanitization and destruction guidelines.

Additionally, if PII is disclosed to nonaffiliated third parties, those parties are required to implement reasonable security procedures and practices to protect the information. The bill introduces more stringent notification requirements in the event of a data breach, requiring affected individuals to be informed of any breach that poses a significant risk of identity theft. It specifies that notifications must be made to the division of enterprise technology strategy and services (ETSS) or its successor agency, as well as to major credit reporting agencies.

The bill raises penalties for violations, increasing fines for reckless violations from $100 to $1,000 per record, and for knowing violations from $200 to $2,000 per record. It eliminates the definitions for "classified data" and "personal information," while introducing a new definition for "personally identifiable information." Furthermore, it requires agencies to notify the Rhode Island state police within 24 hours of a cybersecurity incident and enhances the information that must be included in such notifications, including any mitigating actions taken. This act will take effect upon passage.