The bill amends the "Identity Theft Protection Act of 2015" to enhance the protection of personally identifiable information (PII) for Rhode Island residents. It requires municipal and state agencies, as well as individuals handling PII, to implement and maintain a risk-based information security program that meets current best practices of an approved and industry-recognized cybersecurity framework. This program must include reasonable security procedures and practices to safeguard PII from unauthorized access and ensure that such information is not retained longer than necessary. Additionally, third parties receiving PII are mandated to maintain appropriate security measures through written contracts.

The bill introduces annual reporting requirements to the General Assembly and the division of enterprise technology strategy and services (ETSS) regarding these practices. It clarifies notification protocols for data breaches involving PII, requiring timely notifications to affected individuals and relevant authorities, including the attorney general and credit reporting agencies. The bill eliminates the definitions for "classified data" and "personal information," while introducing a new definition for "personally identifiable information."

Agencies must notify the Rhode Island state police of any cybersecurity incidents within 24 hours, who will then inform the division of enterprise technology strategy and services. The bill raises penalties for violations and specifies that notifications must include details about the incident and any mitigating actions taken. It is set to take effect on July 1, 2026.