2025 -- S 0603
========
LC001327
========
S T A T E O F R H O D E I S L A N D
IN GENERAL ASSEMBLY
JANUARY SESSION, A.D. 2025
____________
A N A C T
RELATING TO FINANCIAL INSTITUTIONS -- LICENSED ACTIVITIES
Introduced By: Senators Britto, McKenney, Sosnowski, Gu, Felag, LaMountain,
DiPalma, and Bissaillon
Date Introduced: March 06, 2025
Referred To: Senate Commerce
(Dept. of Business Regulation)
It is enacted by the General Assembly as follows:
SECTION 1. Chapter 19-14 of the General Laws entitled "Licensed Activities" is hereby 1
amended by adding thereto the following sections: 2
19-14-35. Information security program.. 3
(a) Each licensee shall develop, implement, and maintain a comprehensive information 4
security program that is written in one or more readily accessible parts and contains administrative, 5
technical, and physical safeguards that are appropriate to the licensee’s size and complexity, the 6
nature and scope of activities, including its use of third-party service providers, and the sensitivity 7
of any customer information used by the licensee or is in the licensee’s possession. 8
(b) As used in this chapter, the following terms shall have the following meanings: 9
(1) “Customer” means a consumer who has a customer relationship with a licensee. 10
(2) “Customer information” means any record containing nonpublic personal information 11
about a consumer that a licensee has a relationship with, whether in paper, electronic, or other form, 12
that is handled or maintained by or on behalf of a licensee or its affiliates. 13
(3) “Encryption” means the transformation of data into a form that results in a low 14
probability of assigning meaning without the use of a protective process or key, consistent with 15
current cryptographic standards and accompanied by appropriate safeguards for cryptographic key 16
material. 17
(4) “Information security program” means the administrative, technical, or physical 18
safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of or 19
LC001327 - Page 2 of 8
otherwise handle customer information. 1
(5) “Information system” means a discrete set of electronic information resources 2
organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition 3
of electronic information, as well as any specialized system such as industrial or process controls 4
systems, telephone switching and private branch exchange systems, and environmental controls 5
systems that contains customer information or that is connected to a system that contains customer 6
information. 7
(6) “Notification event” means acquisition of unencrypted customer information without 8
the authorization of the individual to which the information pertains. Customer information is 9
considered unencrypted for this purpose if the encryption key was accessed by an unauthorized 10
person. Unauthorized acquisition will be presumed to include unauthorized access to unencrypted 11
customer information unless reliable evidence exists that proves there has not been, or could not 12
reasonably have been, unauthorized acquisition of such information. 13
(7) “Security event” means an event resulting in unauthorized access to, or disruption or 14
misuse of, an information system or information stored on such information system, or customer 15
information held in physical form, commonly known as a “cybersecurity event”. 16
(c) In order to develop, implement, and maintain the information security program, the 17
licensee shall: 18
(1) Designate a qualified individual responsible for overseeing, implementing, and 19
enforcing the information security program. The qualified individual may be employed by the 20
licensee, an affiliate, or a service provider. To the extent the requirement in subsection (a) of this 21
section is met using a service provider or an affiliate, the licensee shall: 22
(i) Retain responsibility for compliance with this section; 23
(ii) Designate a senior member of the licensee responsible for direction and oversight of 24
the qualified individual; and 25
(iii) Require the service provider or affiliate to maintain an information security program 26
that protects the licensee in accordance with the requirements of this section. 27
(2) Perform a risk assessment that identifies reasonably foreseeable internal and external 28
risks to the security, confidentiality, and integrity of customer information that could result in the 29
unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, 30
and assesses the sufficiency of any safeguards in place to control these risks. 31
(i) The risk assessment shall be written and shall include: 32
(A) Criteria for the evaluation and categorization of identified security risks or threats; 33
(B) Criteria for the assessment of the confidentiality, integrity, and availability of 34
LC001327 - Page 3 of 8
information systems and customer information, including the adequacy of the existing controls in 1
the context of identified risks or threats; and 2
(C) Requirements describing how identified risks will be mitigated or accepted based on 3
the risk assessment and how the information security program will address the risks. 4
(ii) A licensee shall periodically perform additional risk assessments that reexamine the 5
reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of 6
customer information that could result in the unauthorized disclosure, misuse, alteration, 7
destruction or other compromise of such information, and reassess the sufficiency of any safeguards 8
in place to control these risks. 9
(3) Design and implement safeguards to control the risks identified through risk assessment 10
by: 11
(i) Implementing and periodically reviewing access controls, including technical and as 12
appropriate, physical controls to: 13
(A) Authenticate and permit access only to authorized users to protect against the 14
unauthorized acquisition of customer information; and 15
(B) Limit authorized users’ access only to customer information that they need to perform 16
their duties and functions, or in the case of customers, to access their own information; 17
(ii) Identify and manage the data, personnel, devices, systems, and facilities that enable the 18
licensee to achieve business purposes in accordance with relative importance to business objectives 19
and the licensee’s risk strategy; 20
(iii) Protect by encryption all customer information held or transmitted both in transit over 21
external networks and at rest. To the extent it is determine that encryption of customer information, 22
either in transit over external networks or at rest, is infeasible, licensee may instead secure such 23
customer information using effective alternative compensating controls reviewed and approved by 24
the qualified individual; 25
(iv) Adopt secure development practices for in-house developed applications utilized by 26
the licensee for transmitting, accessing, or storing customer information and procedures for 27
evaluating, assessing, or testing the security of externally developed applications utilized to 28
transmit, access, or store customer information; 29
(v) Implement multi-factor authentication for any individual accessing any information 30
system, unless the qualified individual has approved in writing the use of reasonably equivalent or 31
more secure access controls; 32
(vi) Record retention: 33
(A) Develop, implement, and maintain procedures for the secure disposal of customer 34
LC001327 - Page 4 of 8
information in any format no later than two (2) years after the last date the information is used in 1
connection with the provision of a product or service to the customer which relates, unless such 2
information is necessary for business operations or for other legitimate business purposes, is 3
otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably 4
feasible due to the manner in which the information is maintained; and 5
(B) Periodically review data retention policies to minimize the unnecessary retention of 6
data; 7
(vii) Adopt procedures for change management; and 8
(viii) Implement policies, procedures and controls designed to monitor and log the activity 9
of authorized users and detect unauthorized access or use of, or tampering with, customer 10
information by such users. 11
(4) Based on its risk assessment, the licensee shall perform ongoing testing by: 12
(i) Regularly testing or otherwise monitoring the effectiveness of the safeguards’ key 13
controls, systems, and procedures, including those to detect actual and attempted attacks on, or 14
intrusions into, information systems; 15
(ii) For information systems, the monitoring and testing shall include continuous 16
monitoring or periodic penetration testing and vulnerability assessments. Absent effective 17
continuous monitoring or other systems to detect, on an ongoing basis, changes in information 18
systems that may create vulnerabilities, the licensee shall conduct: 19
(A) Annual penetration testing of its information systems determined each given year based 20
on relevant identified risks in accordance with the risk assessment; and 21
(B) Vulnerability assessments, including any systemic scans or reviews of information 22
systems reasonably designed to identify publicly known security vulnerabilities in the licensee’s 23
information systems based on the risk assessment, at least every six (6) months; and whenever there 24
are material changes to operations or business arrangements; and whenever there are circumstances 25
that the licensee knows or has reason to know may have a material impact on the information 26
security program. 27
(5) Implement policies and procedures to ensure that personnel have the ability to enact the 28
information security program by: 29
(i) Providing personnel with security awareness training that is updated as necessary to 30
reflect risks identified by the risk assessment; 31
(ii) Utilizing qualified information security personnel employed by the licensee or an 32
affiliate or service provider sufficient to manage information security risks and to perform or 33
oversee the information security program; 34
LC001327 - Page 5 of 8
(iii) Providing information security personnel with security updates and training sufficient 1
to address relevant security risks; and 2
(iv) Verifying that key information security personnel take steps to maintain current 3
knowledge of changing information security threats and countermeasures. 4
(6) Monitor service providers by: 5
(i) Taking reasonable steps to select and retain service providers that are capable of 6
maintaining appropriate safeguards for the customer information at issue; 7
(ii) Requiring service providers by contract to implement and maintain such safeguards; 8
and 9
(iii) Periodically assessing service providers based on the risk they present and the 10
continued adequacy of their safeguards. 11
(7) Evaluate and adjust the information security program considering the results of the 12
testing and monitoring required by subsection (c)(4) of this section; any material changes to the 13
licensee’s operations or business arrangements; the results of risk assessments performed under 14
subsection (c)(2)(ii) of this section; or any other circumstances that the licensee knows or has reason 15
to know may have a material impact on the information security program. 16
(8) Establish a written incident response plan designed to promptly respond to, and recover 17
from, any security event materially affecting the confidentiality, integrity, or availability of 18
customer information in your control. Such incident response plan shall address the following 19
areas: 20
(i) The goals of the incident response plan; 21
(ii) The internal processes for responding to a security event; 22
(iii) The definition of clear roles, responsibilities and levels of decision-making authority; 23
(iv) External and internal communications and information sharing; 24
(v) Identification of requirements for the remediation of any identified weaknesses in 25
information systems and associated controls; 26
(vi) Documentation and reporting regarding security events and related incident response 27
activities; and 28
(vii) The evaluation and revision as necessary of the incident response plan following a 29
security event. 30
(9) Require the qualified individual to report in writing, at least annually, to the board of 31
directors or equivalent governing body. If no such board of directors or equivalent governing body 32
exists, such report shall be timely presented to a senior officer responsible for the information 33
security program. The report shall include the following information: 34
LC001327 - Page 6 of 8
(i) The overall status of the information security program and compliance with this chapter 1
and associated rules; and 2
(ii) Material matters related to the information security program, addressing issues such as 3
risk assessment, risk management and control decisions, service provider arrangements, results of 4
testing, security events or violations and management’s responses thereto, and recommendations 5
for changes in the information security program. 6
(10) Establish a written plan addressing business continuity and disaster recovery. 7
SECTION 2. Chapter 19-14 of the General Laws entitled "Licensed Activities" is hereby 8
amended by adding thereto the following section: 9
19-14-36. Notification of a security event. 10
(a) Each licensee shall notify the director or the director’s designee as promptly as possible, 11
but in no event later than three (3) business days from a determination that a security event has 12
occurred when either of the following criteria has been met: 13
(1) A security event impacting the licensee of which notice is required to be provided to 14
any governmental body, self-regulatory agency, or any other supervisory body pursuant to any state 15
or federal law; or 16
(2) A security event that has a reasonable likelihood of materially harming; 17
(i) Any consumer residing in this state; or 18
(ii) Any material part of the normal operation(s) of the licensee. 19
(b) The licensee shall provide any information required by this section in electronic form 20
as directed by the director or the director’s designee. The licensee shall have a continuing 21
obligation to update and supplement initial and subsequent notifications to the director or the 22
director’s designee concerning the security event. The following information shall be provided: 23
(1) The name and contact information of the reporting licensee; 24
(2) A description of the types of information that were involved in the notification event; 25
(3) If the information is possible to determine, the date or date range of the notification 26
event; 27
(4) The total number of consumers in this state affected or potentially affected by the 28
notification event. The licensee shall provide the best estimate in the initial report to the director or 29
the director’s designee and update this estimate with each subsequent report; 30
(5) A general description of the notification event including how the information was 31
exposed, lost, stolen, or breached, detailing specific roles and responsibilities of third-party service 32
providers, if any; 33
(6) A description of efforts being undertaken to remediate the situation that permitted the 34
LC001327 - Page 7 of 8
security event to occur; and 1
(7) Whether any law enforcement official has provided the licensee with a written 2
determination that notifying the public of the breach would impede a criminal investigation or cause 3
damage to national security, and a means for the director or the director’s designee to contact the 4
law enforcement official. A law enforcement official may request an initial delay of up to thirty 5
(30) days following the date when notice was provided to the director or the director’s designee. 6
The delay may be extended for an additional period of up to sixty (60) days if the law enforcement 7
official seeks such an extension in writing. Additional delay may be permitted only if the director 8
or the director’s designee determines that public disclosure of a security event continues to impede 9
a criminal investigation or cause damage to national security. 10
(8) Name of contact person who is both familiar with the security event and is authorized 11
to act for the licensee. 12
(c) A licensee shall comply with chapter 49.3 of title 11, as applicable, and provide a copy 13
of the notice sent to consumers under that chapter to the director or the director’s designee, when a 14
licensee is required to notify the director or the director’s designee. 15
SECTION 3. This act shall take effect upon passage. 16
========
LC001327
========
LC001327 - Page 8 of 8
EXPLANATION
BY THE LEGISLATIVE COUNCIL
OF
A N A C T
RELATING TO FINANCIAL INSTITUTIONS -- LICENSED ACTIVITIES
***
This act would provide standards for developing, implementing, and maintaining 1
reasonable administrative, technical, and physical safeguards to protect the security, 2
confidentiality, and integrity of customer information held by entities licensed under chapter 14 of 3
title 19 relating to licensed activities of financial institutions. 4
This act would take effect upon passage. 5
========
LC001327
========