Bill > S1037

This bill amends the Identity Theft Protection Act of 2015 by comprehensively updating definitions and strengthening cybersecurity requirements for municipal and state agencies, as well as private entities handling sensitive information. The legislation replaces the term "personal information" with "personally identifiable information" and introduces a broader, more inclusive definition that encompasses direct and indirect identifiers, biometric data, and internet data. The bill mandates that agencies and organizations implement risk-based information security programs adhering to current industry best practices, with specific requirements for data protection, access management, and secure data destruction. It also establishes more rigorous notification procedures in the event of a data breach, requiring timely communication with affected individuals, the attorney general, and the division of enterprise technology strategy and services (ETSS). Additionally, the bill increases penalties for violations, with civil penalties ranging from $100 to $200 per record for reckless or willful breaches, and grants courts the discretion to impose additional sanctions. The legislation aims to enhance data protection, create more transparent breach notification processes, and provide stronger safeguards for individuals' sensitive information. The changes will take effect on July 1, 2025, giving organizations time to adapt to the new requirements.

Business and Industry

https://status.rilegislature.gov/