Bill > S0603

This bill provides comprehensive standards for financial institutions to protect customer information through robust cybersecurity practices. The bill requires licensed entities to develop and maintain a written information security program that includes administrative, technical, and physical safeguards tailored to the organization's size, complexity, and the sensitivity of customer data. Key provisions include: designating a qualified individual to oversee the security program; conducting regular risk assessments to identify potential security threats; implementing encryption and multi-factor authentication; establishing access controls; developing secure data retention and disposal procedures; performing ongoing testing and monitoring of information systems, including annual penetration testing and vulnerability assessments; providing security awareness training for personnel; carefully vetting and monitoring third-party service providers; creating a written incident response plan; and requiring annual reporting to the organization's leadership about the status and effectiveness of the information security program. The bill also mandates that licensees promptly notify the director within three business days of a security event that could materially harm consumers or the organization's operations, providing detailed information about the breach, its potential impact, and remediation efforts. Notably, the bill does not apply to regulated financial institutions already subject to federal banking regulations.

Business and Industry

https://status.rilegislature.gov/