| 1 | 1 | | |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | 2025 -- S 0603 |
|---|
| 6 | 6 | | ======== |
|---|
| 7 | 7 | | LC001327 |
|---|
| 8 | 8 | | ======== |
|---|
| 9 | 9 | | S T A T E O F R H O D E I S L A N D |
|---|
| 10 | 10 | | IN GENERAL ASSEMBLY |
|---|
| 11 | 11 | | JANUARY SESSION, A.D. 2025 |
|---|
| 12 | 12 | | ____________ |
|---|
| 13 | 13 | | |
|---|
| 14 | 14 | | A N A C T |
|---|
| 15 | 15 | | RELATING TO FINANCIAL INSTITUTIONS -- LICENSED ACTIVITIES |
|---|
| 16 | 16 | | Introduced By: Senators Britto, McKenney, Sosnowski, Gu, Felag, LaMountain, |
|---|
| 17 | 17 | | DiPalma, and Bissaillon |
|---|
| 18 | 18 | | Date Introduced: March 06, 2025 |
|---|
| 19 | 19 | | Referred To: Senate Commerce |
|---|
| 20 | 20 | | (Dept. of Business Regulation) |
|---|
| 21 | 21 | | |
|---|
| 22 | 22 | | It is enacted by the General Assembly as follows: |
|---|
| 23 | 23 | | SECTION 1. Chapter 19-14 of the General Laws entitled "Licensed Activities" is hereby 1 |
|---|
| 24 | 24 | | amended by adding thereto the following sections: 2 |
|---|
| 25 | 25 | | 19-14-35. Information security program.. 3 |
|---|
| 26 | 26 | | (a) Each licensee shall develop, implement, and maintain a comprehensive information 4 |
|---|
| 27 | 27 | | security program that is written in one or more readily accessible parts and contains administrative, 5 |
|---|
| 28 | 28 | | technical, and physical safeguards that are appropriate to the licensee’s size and complexity, the 6 |
|---|
| 29 | 29 | | nature and scope of activities, including its use of third-party service providers, and the sensitivity 7 |
|---|
| 30 | 30 | | of any customer information used by the licensee or is in the licensee’s possession. 8 |
|---|
| 31 | 31 | | (b) As used in this chapter, the following terms shall have the following meanings: 9 |
|---|
| 32 | 32 | | (1) “Customer” means a consumer who has a customer relationship with a licensee. 10 |
|---|
| 33 | 33 | | (2) “Customer information” means any record containing nonpublic personal information 11 |
|---|
| 34 | 34 | | about a consumer that a licensee has a relationship with, whether in paper, electronic, or other form, 12 |
|---|
| 35 | 35 | | that is handled or maintained by or on behalf of a licensee or its affiliates. 13 |
|---|
| 36 | 36 | | (3) “Encryption” means the transformation of data into a form that results in a low 14 |
|---|
| 37 | 37 | | probability of assigning meaning without the use of a protective process or key, consistent with 15 |
|---|
| 38 | 38 | | current cryptographic standards and accompanied by appropriate safeguards for cryptographic key 16 |
|---|
| 39 | 39 | | material. 17 |
|---|
| 40 | 40 | | (4) “Information security program” means the administrative, technical, or physical 18 |
|---|
| 41 | 41 | | safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of or 19 |
|---|
| 42 | 42 | | |
|---|
| 43 | 43 | | |
|---|
| 44 | 44 | | LC001327 - Page 2 of 8 |
|---|
| 45 | 45 | | otherwise handle customer information. 1 |
|---|
| 46 | 46 | | (5) “Information system” means a discrete set of electronic information resources 2 |
|---|
| 47 | 47 | | organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition 3 |
|---|
| 48 | 48 | | of electronic information, as well as any specialized system such as industrial or process controls 4 |
|---|
| 49 | 49 | | systems, telephone switching and private branch exchange systems, and environmental controls 5 |
|---|
| 50 | 50 | | systems that contains customer information or that is connected to a system that contains customer 6 |
|---|
| 51 | 51 | | information. 7 |
|---|
| 52 | 52 | | (6) “Notification event” means acquisition of unencrypted customer information without 8 |
|---|
| 53 | 53 | | the authorization of the individual to which the information pertains. Customer information is 9 |
|---|
| 54 | 54 | | considered unencrypted for this purpose if the encryption key was accessed by an unauthorized 10 |
|---|
| 55 | 55 | | person. Unauthorized acquisition will be presumed to include unauthorized access to unencrypted 11 |
|---|
| 56 | 56 | | customer information unless reliable evidence exists that proves there has not been, or could not 12 |
|---|
| 57 | 57 | | reasonably have been, unauthorized acquisition of such information. 13 |
|---|
| 58 | 58 | | (7) “Security event” means an event resulting in unauthorized access to, or disruption or 14 |
|---|
| 59 | 59 | | misuse of, an information system or information stored on such information system, or customer 15 |
|---|
| 60 | 60 | | information held in physical form, commonly known as a “cybersecurity event”. 16 |
|---|
| 61 | 61 | | (c) In order to develop, implement, and maintain the information security program, the 17 |
|---|
| 62 | 62 | | licensee shall: 18 |
|---|
| 63 | 63 | | (1) Designate a qualified individual responsible for overseeing, implementing, and 19 |
|---|
| 64 | 64 | | enforcing the information security program. The qualified individual may be employed by the 20 |
|---|
| 65 | 65 | | licensee, an affiliate, or a service provider. To the extent the requirement in subsection (a) of this 21 |
|---|
| 66 | 66 | | section is met using a service provider or an affiliate, the licensee shall: 22 |
|---|
| 67 | 67 | | (i) Retain responsibility for compliance with this section; 23 |
|---|
| 68 | 68 | | (ii) Designate a senior member of the licensee responsible for direction and oversight of 24 |
|---|
| 69 | 69 | | the qualified individual; and 25 |
|---|
| 70 | 70 | | (iii) Require the service provider or affiliate to maintain an information security program 26 |
|---|
| 71 | 71 | | that protects the licensee in accordance with the requirements of this section. 27 |
|---|
| 72 | 72 | | (2) Perform a risk assessment that identifies reasonably foreseeable internal and external 28 |
|---|
| 73 | 73 | | risks to the security, confidentiality, and integrity of customer information that could result in the 29 |
|---|
| 74 | 74 | | unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, 30 |
|---|
| 75 | 75 | | and assesses the sufficiency of any safeguards in place to control these risks. 31 |
|---|
| 76 | 76 | | (i) The risk assessment shall be written and shall include: 32 |
|---|
| 77 | 77 | | (A) Criteria for the evaluation and categorization of identified security risks or threats; 33 |
|---|
| 78 | 78 | | (B) Criteria for the assessment of the confidentiality, integrity, and availability of 34 |
|---|
| 79 | 79 | | |
|---|
| 80 | 80 | | |
|---|
| 81 | 81 | | LC001327 - Page 3 of 8 |
|---|
| 82 | 82 | | information systems and customer information, including the adequacy of the existing controls in 1 |
|---|
| 83 | 83 | | the context of identified risks or threats; and 2 |
|---|
| 84 | 84 | | (C) Requirements describing how identified risks will be mitigated or accepted based on 3 |
|---|
| 85 | 85 | | the risk assessment and how the information security program will address the risks. 4 |
|---|
| 86 | 86 | | (ii) A licensee shall periodically perform additional risk assessments that reexamine the 5 |
|---|
| 87 | 87 | | reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of 6 |
|---|
| 88 | 88 | | customer information that could result in the unauthorized disclosure, misuse, alteration, 7 |
|---|
| 89 | 89 | | destruction or other compromise of such information, and reassess the sufficiency of any safeguards 8 |
|---|
| 90 | 90 | | in place to control these risks. 9 |
|---|
| 91 | 91 | | (3) Design and implement safeguards to control the risks identified through risk assessment 10 |
|---|
| 92 | 92 | | by: 11 |
|---|
| 93 | 93 | | (i) Implementing and periodically reviewing access controls, including technical and as 12 |
|---|
| 94 | 94 | | appropriate, physical controls to: 13 |
|---|
| 95 | 95 | | (A) Authenticate and permit access only to authorized users to protect against the 14 |
|---|
| 96 | 96 | | unauthorized acquisition of customer information; and 15 |
|---|
| 97 | 97 | | (B) Limit authorized users’ access only to customer information that they need to perform 16 |
|---|
| 98 | 98 | | their duties and functions, or in the case of customers, to access their own information; 17 |
|---|
| 99 | 99 | | (ii) Identify and manage the data, personnel, devices, systems, and facilities that enable the 18 |
|---|
| 100 | 100 | | licensee to achieve business purposes in accordance with relative importance to business objectives 19 |
|---|
| 101 | 101 | | and the licensee’s risk strategy; 20 |
|---|
| 102 | 102 | | (iii) Protect by encryption all customer information held or transmitted both in transit over 21 |
|---|
| 103 | 103 | | external networks and at rest. To the extent it is determine that encryption of customer information, 22 |
|---|
| 104 | 104 | | either in transit over external networks or at rest, is infeasible, licensee may instead secure such 23 |
|---|
| 105 | 105 | | customer information using effective alternative compensating controls reviewed and approved by 24 |
|---|
| 106 | 106 | | the qualified individual; 25 |
|---|
| 107 | 107 | | (iv) Adopt secure development practices for in-house developed applications utilized by 26 |
|---|
| 108 | 108 | | the licensee for transmitting, accessing, or storing customer information and procedures for 27 |
|---|
| 109 | 109 | | evaluating, assessing, or testing the security of externally developed applications utilized to 28 |
|---|
| 110 | 110 | | transmit, access, or store customer information; 29 |
|---|
| 111 | 111 | | (v) Implement multi-factor authentication for any individual accessing any information 30 |
|---|
| 112 | 112 | | system, unless the qualified individual has approved in writing the use of reasonably equivalent or 31 |
|---|
| 113 | 113 | | more secure access controls; 32 |
|---|
| 114 | 114 | | (vi) Record retention: 33 |
|---|
| 115 | 115 | | (A) Develop, implement, and maintain procedures for the secure disposal of customer 34 |
|---|
| 116 | 116 | | |
|---|
| 117 | 117 | | |
|---|
| 118 | 118 | | LC001327 - Page 4 of 8 |
|---|
| 119 | 119 | | information in any format no later than two (2) years after the last date the information is used in 1 |
|---|
| 120 | 120 | | connection with the provision of a product or service to the customer which relates, unless such 2 |
|---|
| 121 | 121 | | information is necessary for business operations or for other legitimate business purposes, is 3 |
|---|
| 122 | 122 | | otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably 4 |
|---|
| 123 | 123 | | feasible due to the manner in which the information is maintained; and 5 |
|---|
| 124 | 124 | | (B) Periodically review data retention policies to minimize the unnecessary retention of 6 |
|---|
| 125 | 125 | | data; 7 |
|---|
| 126 | 126 | | (vii) Adopt procedures for change management; and 8 |
|---|
| 127 | 127 | | (viii) Implement policies, procedures and controls designed to monitor and log the activity 9 |
|---|
| 128 | 128 | | of authorized users and detect unauthorized access or use of, or tampering with, customer 10 |
|---|
| 129 | 129 | | information by such users. 11 |
|---|
| 130 | 130 | | (4) Based on its risk assessment, the licensee shall perform ongoing testing by: 12 |
|---|
| 131 | 131 | | (i) Regularly testing or otherwise monitoring the effectiveness of the safeguards’ key 13 |
|---|
| 132 | 132 | | controls, systems, and procedures, including those to detect actual and attempted attacks on, or 14 |
|---|
| 133 | 133 | | intrusions into, information systems; 15 |
|---|
| 134 | 134 | | (ii) For information systems, the monitoring and testing shall include continuous 16 |
|---|
| 135 | 135 | | monitoring or periodic penetration testing and vulnerability assessments. Absent effective 17 |
|---|
| 136 | 136 | | continuous monitoring or other systems to detect, on an ongoing basis, changes in information 18 |
|---|
| 137 | 137 | | systems that may create vulnerabilities, the licensee shall conduct: 19 |
|---|
| 138 | 138 | | (A) Annual penetration testing of its information systems determined each given year based 20 |
|---|
| 139 | 139 | | on relevant identified risks in accordance with the risk assessment; and 21 |
|---|
| 140 | 140 | | (B) Vulnerability assessments, including any systemic scans or reviews of information 22 |
|---|
| 141 | 141 | | systems reasonably designed to identify publicly known security vulnerabilities in the licensee’s 23 |
|---|
| 142 | 142 | | information systems based on the risk assessment, at least every six (6) months; and whenever there 24 |
|---|
| 143 | 143 | | are material changes to operations or business arrangements; and whenever there are circumstances 25 |
|---|
| 144 | 144 | | that the licensee knows or has reason to know may have a material impact on the information 26 |
|---|
| 145 | 145 | | security program. 27 |
|---|
| 146 | 146 | | (5) Implement policies and procedures to ensure that personnel have the ability to enact the 28 |
|---|
| 147 | 147 | | information security program by: 29 |
|---|
| 148 | 148 | | (i) Providing personnel with security awareness training that is updated as necessary to 30 |
|---|
| 149 | 149 | | reflect risks identified by the risk assessment; 31 |
|---|
| 150 | 150 | | (ii) Utilizing qualified information security personnel employed by the licensee or an 32 |
|---|
| 151 | 151 | | affiliate or service provider sufficient to manage information security risks and to perform or 33 |
|---|
| 152 | 152 | | oversee the information security program; 34 |
|---|
| 153 | 153 | | |
|---|
| 154 | 154 | | |
|---|
| 155 | 155 | | LC001327 - Page 5 of 8 |
|---|
| 156 | 156 | | (iii) Providing information security personnel with security updates and training sufficient 1 |
|---|
| 157 | 157 | | to address relevant security risks; and 2 |
|---|
| 158 | 158 | | (iv) Verifying that key information security personnel take steps to maintain current 3 |
|---|
| 159 | 159 | | knowledge of changing information security threats and countermeasures. 4 |
|---|
| 160 | 160 | | (6) Monitor service providers by: 5 |
|---|
| 161 | 161 | | (i) Taking reasonable steps to select and retain service providers that are capable of 6 |
|---|
| 162 | 162 | | maintaining appropriate safeguards for the customer information at issue; 7 |
|---|
| 163 | 163 | | (ii) Requiring service providers by contract to implement and maintain such safeguards; 8 |
|---|
| 164 | 164 | | and 9 |
|---|
| 165 | 165 | | (iii) Periodically assessing service providers based on the risk they present and the 10 |
|---|
| 166 | 166 | | continued adequacy of their safeguards. 11 |
|---|
| 167 | 167 | | (7) Evaluate and adjust the information security program considering the results of the 12 |
|---|
| 168 | 168 | | testing and monitoring required by subsection (c)(4) of this section; any material changes to the 13 |
|---|
| 169 | 169 | | licensee’s operations or business arrangements; the results of risk assessments performed under 14 |
|---|
| 170 | 170 | | subsection (c)(2)(ii) of this section; or any other circumstances that the licensee knows or has reason 15 |
|---|
| 171 | 171 | | to know may have a material impact on the information security program. 16 |
|---|
| 172 | 172 | | (8) Establish a written incident response plan designed to promptly respond to, and recover 17 |
|---|
| 173 | 173 | | from, any security event materially affecting the confidentiality, integrity, or availability of 18 |
|---|
| 174 | 174 | | customer information in your control. Such incident response plan shall address the following 19 |
|---|
| 175 | 175 | | areas: 20 |
|---|
| 176 | 176 | | (i) The goals of the incident response plan; 21 |
|---|
| 177 | 177 | | (ii) The internal processes for responding to a security event; 22 |
|---|
| 178 | 178 | | (iii) The definition of clear roles, responsibilities and levels of decision-making authority; 23 |
|---|
| 179 | 179 | | (iv) External and internal communications and information sharing; 24 |
|---|
| 180 | 180 | | (v) Identification of requirements for the remediation of any identified weaknesses in 25 |
|---|
| 181 | 181 | | information systems and associated controls; 26 |
|---|
| 182 | 182 | | (vi) Documentation and reporting regarding security events and related incident response 27 |
|---|
| 183 | 183 | | activities; and 28 |
|---|
| 184 | 184 | | (vii) The evaluation and revision as necessary of the incident response plan following a 29 |
|---|
| 185 | 185 | | security event. 30 |
|---|
| 186 | 186 | | (9) Require the qualified individual to report in writing, at least annually, to the board of 31 |
|---|
| 187 | 187 | | directors or equivalent governing body. If no such board of directors or equivalent governing body 32 |
|---|
| 188 | 188 | | exists, such report shall be timely presented to a senior officer responsible for the information 33 |
|---|
| 189 | 189 | | security program. The report shall include the following information: 34 |
|---|
| 190 | 190 | | |
|---|
| 191 | 191 | | |
|---|
| 192 | 192 | | LC001327 - Page 6 of 8 |
|---|
| 193 | 193 | | (i) The overall status of the information security program and compliance with this chapter 1 |
|---|
| 194 | 194 | | and associated rules; and 2 |
|---|
| 195 | 195 | | (ii) Material matters related to the information security program, addressing issues such as 3 |
|---|
| 196 | 196 | | risk assessment, risk management and control decisions, service provider arrangements, results of 4 |
|---|
| 197 | 197 | | testing, security events or violations and management’s responses thereto, and recommendations 5 |
|---|
| 198 | 198 | | for changes in the information security program. 6 |
|---|
| 199 | 199 | | (10) Establish a written plan addressing business continuity and disaster recovery. 7 |
|---|
| 200 | 200 | | SECTION 2. Chapter 19-14 of the General Laws entitled "Licensed Activities" is hereby 8 |
|---|
| 201 | 201 | | amended by adding thereto the following section: 9 |
|---|
| 202 | 202 | | 19-14-36. Notification of a security event. 10 |
|---|
| 203 | 203 | | (a) Each licensee shall notify the director or the director’s designee as promptly as possible, 11 |
|---|
| 204 | 204 | | but in no event later than three (3) business days from a determination that a security event has 12 |
|---|
| 205 | 205 | | occurred when either of the following criteria has been met: 13 |
|---|
| 206 | 206 | | (1) A security event impacting the licensee of which notice is required to be provided to 14 |
|---|
| 207 | 207 | | any governmental body, self-regulatory agency, or any other supervisory body pursuant to any state 15 |
|---|
| 208 | 208 | | or federal law; or 16 |
|---|
| 209 | 209 | | (2) A security event that has a reasonable likelihood of materially harming; 17 |
|---|
| 210 | 210 | | (i) Any consumer residing in this state; or 18 |
|---|
| 211 | 211 | | (ii) Any material part of the normal operation(s) of the licensee. 19 |
|---|
| 212 | 212 | | (b) The licensee shall provide any information required by this section in electronic form 20 |
|---|
| 213 | 213 | | as directed by the director or the director’s designee. The licensee shall have a continuing 21 |
|---|
| 214 | 214 | | obligation to update and supplement initial and subsequent notifications to the director or the 22 |
|---|
| 215 | 215 | | director’s designee concerning the security event. The following information shall be provided: 23 |
|---|
| 216 | 216 | | (1) The name and contact information of the reporting licensee; 24 |
|---|
| 217 | 217 | | (2) A description of the types of information that were involved in the notification event; 25 |
|---|
| 218 | 218 | | (3) If the information is possible to determine, the date or date range of the notification 26 |
|---|
| 219 | 219 | | event; 27 |
|---|
| 220 | 220 | | (4) The total number of consumers in this state affected or potentially affected by the 28 |
|---|
| 221 | 221 | | notification event. The licensee shall provide the best estimate in the initial report to the director or 29 |
|---|
| 222 | 222 | | the director’s designee and update this estimate with each subsequent report; 30 |
|---|
| 223 | 223 | | (5) A general description of the notification event including how the information was 31 |
|---|
| 224 | 224 | | exposed, lost, stolen, or breached, detailing specific roles and responsibilities of third-party service 32 |
|---|
| 225 | 225 | | providers, if any; 33 |
|---|
| 226 | 226 | | (6) A description of efforts being undertaken to remediate the situation that permitted the 34 |
|---|
| 227 | 227 | | |
|---|
| 228 | 228 | | |
|---|
| 229 | 229 | | LC001327 - Page 7 of 8 |
|---|
| 230 | 230 | | security event to occur; and 1 |
|---|
| 231 | 231 | | (7) Whether any law enforcement official has provided the licensee with a written 2 |
|---|
| 232 | 232 | | determination that notifying the public of the breach would impede a criminal investigation or cause 3 |
|---|
| 233 | 233 | | damage to national security, and a means for the director or the director’s designee to contact the 4 |
|---|
| 234 | 234 | | law enforcement official. A law enforcement official may request an initial delay of up to thirty 5 |
|---|
| 235 | 235 | | (30) days following the date when notice was provided to the director or the director’s designee. 6 |
|---|
| 236 | 236 | | The delay may be extended for an additional period of up to sixty (60) days if the law enforcement 7 |
|---|
| 237 | 237 | | official seeks such an extension in writing. Additional delay may be permitted only if the director 8 |
|---|
| 238 | 238 | | or the director’s designee determines that public disclosure of a security event continues to impede 9 |
|---|
| 239 | 239 | | a criminal investigation or cause damage to national security. 10 |
|---|
| 240 | 240 | | (8) Name of contact person who is both familiar with the security event and is authorized 11 |
|---|
| 241 | 241 | | to act for the licensee. 12 |
|---|
| 242 | 242 | | (c) A licensee shall comply with chapter 49.3 of title 11, as applicable, and provide a copy 13 |
|---|
| 243 | 243 | | of the notice sent to consumers under that chapter to the director or the director’s designee, when a 14 |
|---|
| 244 | 244 | | licensee is required to notify the director or the director’s designee. 15 |
|---|
| 245 | 245 | | SECTION 3. This act shall take effect upon passage. 16 |
|---|
| 246 | 246 | | ======== |
|---|
| 247 | 247 | | LC001327 |
|---|
| 248 | 248 | | ======== |
|---|
| 249 | 249 | | |
|---|
| 250 | 250 | | |
|---|
| 251 | 251 | | LC001327 - Page 8 of 8 |
|---|
| 252 | 252 | | EXPLANATION |
|---|
| 253 | 253 | | BY THE LEGISLATIVE COUNCIL |
|---|
| 254 | 254 | | OF |
|---|
| 255 | 255 | | A N A C T |
|---|
| 256 | 256 | | RELATING TO FINANCIAL INSTITUTIONS -- LICENSED ACTIVITIES |
|---|
| 257 | 257 | | *** |
|---|
| 258 | 258 | | This act would provide standards for developing, implementing, and maintaining 1 |
|---|
| 259 | 259 | | reasonable administrative, technical, and physical safeguards to protect the security, 2 |
|---|
| 260 | 260 | | confidentiality, and integrity of customer information held by entities licensed under chapter 14 of 3 |
|---|
| 261 | 261 | | title 19 relating to licensed activities of financial institutions. 4 |
|---|
| 262 | 262 | | This act would take effect upon passage. 5 |
|---|
| 263 | 263 | | ======== |
|---|
| 264 | 264 | | LC001327 |
|---|
| 265 | 265 | | ======== |
|---|
| 266 | 266 | | |
|---|