Victoria's bill to protect consumers advances and, hopefully will pass before General Assembly adjourns
.webp)
“In the wake of the RIBridges cyberattack, it’s important to
set clear expectations that state agencies, municipalities and companies should
be meeting current best practices of an industry-recognized cybersecurity
framework, such as NIST Cybersecurity Framework, to protect the personally
identifiable information of Rhode Islanders,” said Senator Gu (D-Dist. 38,
Westerly, Charlestown, South Kingstown) who chairs the Senate Committee on
Artificial Intelligence and Emerging Technologies. “Our current laws governing
the protection of this information need updating to match the reality of our
increasingly digital world and its threats.”
The December 2024 breach of RIBridges, Rhode Island’s
online portal for social services, affected around 650,000 people in total,
releasing Social Security numbers, employment details, financial data and other
personal information to the dark web. Senator Gu and Representative Carson saw
this as a clear sign that Rhode Island needed to update its cybersecurity
standards.
The bill (2026-S 2638Aaa) now goes the House, where Lauren H. Carson
(D-Dist. 75, Newport) has introduced similar legislation (2026-H 7509).
The bill would amend the Identity Theft Protection Act of 2015 to modernize its requirements and definitions. It would change references to protecting “personal information” in the law to “personally identifiable information,” a more expansive term that includes all information that can be used to reveal a person’s identity.
Entities that handle this information are already required
to maintain a risk-based information security program, and the bill clarifies
that this program must meet current best practices as outlined in an industry
recognized cybersecurity framework, with controls to restrict and manage access
to this data.
“It is essential to have clear safeguards that protect the
personal information of Rhode Islanders. Many of us manage sensitive financial,
medical and digital records, and when those details fall into the wrong hands,
it can disrupt not only our finances but our sense of security. Strengthening
practices that help keep Rhode Islanders’ information safe gives older adults
the confidence to stay engaged, connected and independent in an increasingly
digital world,” said AARP RI State Director Catherine Taylor.
The bill would maintain the existing penalties in law for
“reckless” or “knowing and willful violations,” but adds an additional tool to
allow courts to impose additional sanctions if the circumstances of a violation
warrant it.
The bill would also update the reporting requirements of
state agencies, municipalities and companies when a breach has occurred to
include timely notification to the Rhode Island Division of Enterprise
Technology Strategy and Services (ETSS).
ETSS is the Rhode Island agency responsible for oversight,
coordination and development of all IT staff and resources within the executive
branch of government. It works to standardize the state’s ongoing investments
in software, networks and cybersecurity.
The bill would also require ETSS to publish and update
educational materials on its website regarding current industry best practices
in cybersecurity.
Senator Gu sponsored similar legislation last year. This
year’s version incorporates feedback gained from experts and the business
community during last year’s committee process.
Cybercrime losses topped $16 billion nationwide in 2024 —
a 33% increase from 2023. According to the FBI’s Boston
Division, which covers Maine, Massachusetts, New Hampshire and Rhode Island,
New Englanders reported total losses to cybercrime in 2024 of $446.7 million, with
common victims including senior citizens and small businesses.
Senator Gu points out that by increasing data safety
standards, this bill helps to protect both individuals and small businesses
from losses from scams, fraud and ransomware.
