Sen. Gu, Rep. Carson bill would modernize identity theft protection laws
“In the wake of the RIBridges cyberattack, it’s important to
set clear expectations that state agencies, municipalities and companies should
be meeting current best practices of an industry-recognized cybersecurity
framework, such as NIST Cybersecurity Framework, to protect the personally
identifiable information of Rhode Islanders,” said Senator Gu (D-Dist. 38,
Westerly, Charlestown, South Kingstown) who chairs the Senate Committee on
Artificial Intelligence and Emerging Technologies. “Our current laws governing
the protection of this information need updating to match the reality of our
increasingly digital world and its threats.”
The December 2024 breach of RIBridges, Rhode Island’s
online portal for social services, affected around 650,000 people in total,
releasing Social Security numbers, employment details, financial data and other
personal information to the dark web. Senator Gu and Representative Carson saw
this as a clear sign that Rhode Island needed to update its cybersecurity
standards.
“As our lives become increasingly digital, it is no surprise that identity theft is one of the fastest growing cybercrimes. We are no strangers to large data breaches here in Rhode Island, and many of us were asked to take steps to protect ourselves after the RIBridges attack. But just asking residents to protect themselves is insufficient. Especially as AI and related technologies grow in capability and popularity, we as legislators need to take serious steps to make sure Rhode Islanders are protected. It is time to update our identity theft protections, which have seen minimal changes over the last decade — an eternity considering how technology and our digital lives have changed since 2015,” said Representative Carson (D-Dist. 75, Newport).
The bill (2026-S 2638, 2026-H 7509) would amend the Identity Theft Protection Act
of 2015 to modernize its requirements and definitions. It would change
references to protecting “personal information” in the law to “personally
identifiable information,” a more expansive term that includes all information
that can be used to reveal a person’s identity.
Entities that handle this information are already required
to maintain a risk-based information security program, and the bill clarifies
that this program must meet current best practices as outlined in an industry
recognized cybersecurity framework, with controls to restrict and manage access
to this data.
“It is essential to have clear safeguards that protect the
personal information of Rhode Islanders. Many of us manage sensitive financial,
medical and digital records, and when those details fall into the wrong hands,
it can disrupt not only our finances but our sense of security. Strengthening
practices that help keep Rhode Islanders’ information safe gives older adults
the confidence to stay engaged, connected and independent in an increasingly
digital world,” said AARP RI State Director Catherine Taylor.
The bill would maintain the existing penalties in law for
“reckless” or “knowing and willful violations,” but adds an additional tool to
allow courts to impose additional sanctions if the circumstances of a violation
warrant it.
The bill would also update the reporting requirements of
state agencies, municipalities and companies when a breach has occurred to
include timely notification to the Rhode Island Division of Enterprise
Technology Strategy and Services (ETSS).
ETSS is the Rhode Island agency responsible for oversight,
coordination and development of all IT staff and resources within the executive
branch of government. It works to standardize the state’s ongoing investments
in software, networks and cybersecurity.
Senator Gu and Representative Carson sponsored similar
legislation last year. This year’s version incorporates feedback gained from
experts and the business community during last year’s committee process.
Cybercrime losses topped $16 billion nationwide in 2024 —
a 33% increase from 2023. According to the FBI’s Boston
Division, which covers Maine, Massachusetts, New Hampshire and Rhode Island,
New Englanders reported total losses to cybercrime in 2024 of $446.7 million, with
common victims including senior citizens and small businesses.
Senator Gu and Representative Carson point out that by
increasing data safety standards, this bill helps to protect both individuals
and small businesses from losses from scams, fraud and ransomware.