The bill amends the "Identity Theft Protection Act of 2015" to enhance the protection of personally identifiable information (PII) for Rhode Island residents. It requires municipal and state agencies, as well as individuals who maintain, acquire, use, or license PII, to implement and maintain a risk-based information security program that aligns with current best practices of an approved and industry-recognized cybersecurity framework. This program must include reasonable security procedures and practices to protect PII from unauthorized access and limit the retention of such information. Additionally, third parties receiving PII are required to implement and maintain reasonable security measures through written contracts.

The bill mandates that municipal and state agencies provide an annual update to the General Assembly and the division of enterprise technology strategy and services (ETSS) regarding their information security practices. It clarifies notification requirements in the event of a data breach, specifying that notification must be provided to affected individuals and relevant authorities, including the attorney general and major credit reporting agencies, without unreasonable delay. The state police must be notified within 24 hours of a cybersecurity incident, and they are required to inform the ETSS within the same timeframe. Notifications must include details about the incident, including the date, any mitigating actions taken, and notifications made to regulatory or federal entities.

The bill eliminates the definitions for "classified data" and "personal information," while introducing a new definition for "personally identifiable information." It raises the penalties for violations of the act and includes provisions for additional appropriate sanctions as warranted by the circumstances. The act is set to take effect on July 1, 2026.