The bill amends the "Identity Theft Protection Act of 2015" to enhance the security of personally identifiable information (PII) for Rhode Island residents. It requires municipal and state agencies, as well as individuals handling PII, to implement and maintain a risk-based information security program that meets current best practices of an approved and industry-recognized cybersecurity framework. This program must include reasonable security procedures, programs, and practices tailored to the organization's size and the nature of the information collected.

Entities disclosing PII to nonaffiliated third parties must require, by written contract, that those parties and any subcontracted parties implement and maintain reasonable security procedures that are appropriate to the size and complexity of the data. Municipal and state agencies are mandated to provide annual updates to the General Assembly and the Division of Enterprise Technology Strategy and Services (ETSS) regarding their security practices.

Key changes include the elimination of definitions for "classified data" and "personal information," while introducing a new definition for "personally identifiable information." The bill updates notification requirements for cybersecurity incidents, mandating that municipal and state agencies notify the Rhode Island state police within 24 hours of detection, who must then inform the ETSS. Notifications must detail the incident, including how it occurred, any mitigating actions taken, and any notifications to regulatory or federal entities.

The bill clarifies that compliance with federal laws regarding federal tax information is not impaired and raises penalties for violations of notification requirements. The act is set to take effect on July 1, 2027.