Back to Rhode Island

S2638 • 2026

AN ACT RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 (Amends the Identity Theft Protection Act by eliminating current definitions and establishing new definitions. This act also raises the penalty provisions for violations.)

AN ACT RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 (Amends the Identity Theft Protection Act by eliminating current definitions and establishing new definitions. This act also raises the penalty provisions for violations.)

Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Gu, Zurier, Urso, DiPalma, Paolino, Vargas, Burke
Last action
2026-06-04
Official status
Referred to House Judiciary
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

AN ACT RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 (Amends the Identity Theft Protection Act by eliminating current definitions and establishing new definitions. This act also raises the penalty provisions for violations.)

AN ACT RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 (Amends the Identity Theft Protection Act by eliminating current definitions and establishing new definitions.

What This Bill Does

  • AN ACT RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 (Amends the Identity Theft Protection Act by eliminating current definitions and establishing new definitions.
  • This act also raises the penalty provisions for violations.)

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Amendments

These notes stay tied to the official amendment files and metadata from the legislature.

Published version

Plain English: S2638A 2026 -- S 2638 SUBSTITUTE A ======== LC004835/SUB A/2 ======== STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.

  • S2638A 2026 -- S 2638 SUBSTITUTE A ======== LC004835/SUB A/2 ======== STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.
  • 2026 ____________ A N A C T RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 Introduced By: Senators Gu, Zurier, Urso, DiPalma, Paolino, Vargas, and Burke Date Introduced: February 27, 2026 Referred To: Senate Artificial Intelligence & Emerging Tech It is enacted by the General Assembly as follows: 1 SECTION 1.
  • Sections 11-49.3-2, 11-49.3-3, 11-49.3-4, 11-49.3-5, 11-49.3-6 and 11-49.3- 2 7 of the General Laws in Chapter 11-49.3 entitled "Identity Theft Protection Act of 2015" are 3 hereby amended to read as follows: 4 11-49.3-2.
  • Risk-based information security program.
Published version

Plain English: S2638Aaa 2026 -- S 2638 SUBSTITUTE A AS AMENDED ======== LC004835/SUB A/2 ======== STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.

  • S2638Aaa 2026 -- S 2638 SUBSTITUTE A AS AMENDED ======== LC004835/SUB A/2 ======== STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.
  • 2026 ____________ A N A C T RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 Introduced By: Senators Gu, Zurier, Urso, DiPalma, Paolino, Vargas, and Burke Date Introduced: February 27, 2026 Referred To: Senate Artificial Intelligence & Emerging Tech It is enacted by the General Assembly as follows: 1 SECTION 1.
  • Sections 11-49.3-2, 11-49.3-3, 11-49.3-4, 11-49.3-5, 11-49.3-6 and 11-49.3- 2 7 of the General Laws in Chapter 11-49.3 entitled "Identity Theft Protection Act of 2015" are 3 hereby amended to read as follows: 4 11-49.3-2.
  • Risk-based information security program.

Bill History

  1. 2026-06-04 Rhode Island General Assembly

    Referred to House Judiciary

  2. 2026-06-03 Senate

    Senate passed Sub A as amended (floor amendment)

  3. 2026-05-29 Rhode Island General Assembly

    Placed on Senate Calendar (06/03/2026)

  4. 2026-05-28 Committee

    Committee recommends passage of Sub A

  5. 2026-05-27 Rhode Island General Assembly

    Proposed Substitute

  6. 2026-05-26 Rhode Island General Assembly

    Scheduled for consideration (05/28/2026)

  7. 2026-03-31 Committee

    Committee recommended measure be held for further study

  8. 2026-03-27 Rhode Island General Assembly

    Scheduled for hearing and/or consideration (03/31/2026)

  9. 2026-02-27 Rhode Island General Assembly

    Introduced, referred to Senate Artificial Intelligence & Emerging Technol

Official Summary Text

AN ACT RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015 (Amends the Identity Theft Protection Act by eliminating current definitions and establishing new definitions. This act also raises the penalty provisions for violations.)

Current Bill Text

Read the full stored bill text
S2638Aaa

2026 -- S 2638 SUBSTITUTE A AS AMENDED
========
LC004835/SUB A/2
========

STATE OF RHODE ISLAND
IN GENERAL ASSEMBLY
JANUARY SESSION, A.D. 2026
____________
A N A C T
RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015

Introduced By:
Senators Gu, Zurier, Urso, DiPalma, Paolino, Vargas, and Burke

Date Introduced:
February 27, 2026

Referred To:
Senate Artificial Intelligence & Emerging Tech
It is enacted by the General Assembly as follows:
1
SECTION 1. Sections 11-49.3-2, 11-49.3-3, 11-49.3-4, 11-49.3-5, 11-49.3-6 and 11-49.3-
2
7 of the General Laws in Chapter 11-49.3 entitled "Identity Theft Protection Act of 2015" are
3
hereby amended to read as follows:
4

11-49.3-2. Risk-based information security program.
5
(a) A municipal agency, state agency, or person who or that stores, collects, processes,
6
maintains, acquires, uses, owns, or licenses
personal

personally identifiable
information about a
7
Rhode Island resident shall
, at a minimum,
implement and maintain a risk-based information
8
security program
that meets current best practices of an approved and industry recognized
9
cybersecurity framework
that contains reasonable security procedures
, programs
and practices
10
appropriate to the size and scope of the organization; the nature of the information; and the purpose
11
for which the information was collected in order to protect the
personal

personally identifiable

12
information from unauthorized access, use, modification, destruction, or disclosure and to preserve
13
the confidentiality, integrity, and availability of such information.
Controls and procedures shall be
14
implemented to restrict and manage access to the data in transit and at rest.
A municipal agency,
15
state agency, or person shall not retain
personal

personally identifiable
information for a period
16
longer than is reasonably required to provide the services requested; to meet the purpose for which
17
it was collected; or in accordance with a written retention policy or as may be required by law. A
18
municipal agency, state agency, or person shall destroy all
personal

personally identifiable

19
information, regardless of the medium that such information is in, in a secure manner, including,

1
but not limited to, shredding, pulverization, incineration, or erasure
in accordance with current best
2
practices of an approved and industry recognized sanitization and destruction guideline
.
3
(b) A municipal agency, state agency, or person who or that discloses
personal

personally
4
identifiable
information about a Rhode Island resident to a nonaffiliated third party shall require by
5
written contract that the third party
and any sub-contracted party
implement and maintain
6
reasonable security procedures
, programs
and practices
that meet current best practices of an
7
approved and industry recognized cybersecurity framework and are
appropriate to the size and
8
scope of the organization; the nature of the information; and the purpose for which the information
9
was collected in order to protect the
personal

personally identifiable
information from unauthorized
10
access, use, modification, destruction, or disclosure. The provisions of this section shall apply to
11
contracts entered into after the effective date of this act.
12

(c) Municipal and state agencies shall provide an annual update to the general assembly
13
and the division of enterprise technology strategy and services (ETSS) or successor state agency,
14
or successor to the chief digital officer in the form required by the ETSS.
15

(d) The ETSS shall publish and maintain educational materials on their websites regarding
16
current best practices under approved and industry recognized cybersecurity frameworks for the
17
benefit of the public, including, but not limited to, business owners and employers.
18

11-49.3-3. Definitions.
19
(a) The following definitions apply to this chapter:
20
(1) “Breach of the security of the system” means unauthorized access or acquisition of
21
unencrypted,
computerized data information that compromises the security, confidentiality, or
22
integrity of
personal

personally identifiable
information maintained by the municipal agency, state
23
agency, or person. Good-faith acquisition of
personal

personally identifiable
information by an
24
employee or agent of the agency for the purposes of the agency is not a breach of the security of
25
the system; provided, that the
personal

personally identifiable
information is not used or subject to
26
further unauthorized disclosure.
27
(2)
“Classified data” means any data that is not public (private, sensitive, confidential).
28
Classified data requires additional security controls, such as access restrictions and encryption.
29
Classified data includes personally identifiable information (PII), personally identifiable health
30
information (PHI), or federal tax information (FTI).
31

(3)
“Cybersecurity incident” means unauthorized access that could jeopardize the
32
confidentiality, integrity, or availability of critical information systems and critical infrastructure
33
systems (i.e., first responder networks, water, energy).
34

(4)
(3)
“Encrypted” means the transformation of data through the use of a one hundred

LC004835/SUB A/2 - Page 2 of 9
1
twenty-eight (128) bit or higher algorithmic process into a form in which there is a low probability
2
of assigning meaning without use of a confidential process or key. Data shall not be considered to
3
be encrypted if it is acquired in combination with any key, security code, or password that would
4
permit access to the encrypted data.
5

(5)
(4)
“Health insurance information” means an individual’s health insurance policy
6
number, subscriber identification number, or any unique identifier used by a health insurer to
7
identify the individual.
8

(6)
(5)
“Medical information” means any information regarding an individual’s medical
9
history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
10
or provider.
11

(7)
(6)
“Municipal agency” means any department, division, agency, commission, board,
12
office, bureau, authority, quasi-public authority, or school, fire, or water district within Rhode
13
Island, other than a state agency, and any other agency that is in any branch of municipal
14
government and exercises governmental functions other than in an advisory nature.
15

(8)
(7)
“Owner” means the original collector of the information.
16

(9)
(8)
“Person” shall include any individual, sole proprietorship, partnership, association,
17
corporation, joint venture, business, legal entity, trust, estate, cooperative, or other commercial
18
entity.
19

(10) “Personal information” means an individual’s first name or first initial and last name
20
in combination with any one or more of the following data elements, when the name and the data
21
elements are not encrypted or are in hard copy, paper format:
22

(i) Social security number;
23

(ii) Driver’s license number, Rhode Island identification card number, or tribal
24
identification number;
25

(iii) Account number, credit or debit card number, in combination with any required
26
security code, access code, password, or personal identification number, that would permit access
27
to an individual’s financial account;
28

(iv) Medical or health insurance information; or
29

(v) E-mail address with any required security code, access code, or password that would
30
permit access to an individual’s personal, medical, insurance, or financial account.
31

(9) “Personally identifiable information” means information that can be used to distinguish
32
or trace an individual's identity, either alone or when combined with other information that is linked
33
or linkable to a specific individual. This information includes both direct and indirect identifiers,
34
as well as biometric data and internet data.

LC004835/SUB A/2 - Page 3 of 9
1

(10) “Reasonable security procedures” means protective, documented measures that are
2
commensurate with the risk and sensitivity of the data, suitable for the specific context, including
3
nature of the business and type of data; effective in preventing unauthorized access, use, disclosure,
4
alteration or destruction of the data. Reasonable security procedures are regularly reviewed and
5
updated to ensure they remain effective and relevant in the face of evolving threats and include
6
who is responsible for implementing and maintaining the procedures, how they are implemented
7
and how they are regularly reviewed.
8
(11) “Remediation service provider” means any person who or that, in the usual course of
9
business, provides services pertaining to a consumer credit report including, but not limited to,
10
credit report monitoring and alerts, that are intended to mitigate the potential for identity theft.
11
(12) “State agency” means any department, division, agency, commission, board, office,
12
bureau, authority, or quasi-public authority within Rhode Island; either branch of the Rhode Island
13
general assembly or an agency or committee thereof; the judiciary; or any other agency that is in
14
any branch of Rhode Island state government and that exercises governmental functions other than
15
in an advisory nature.
16
(b) For purposes of this chapter,
personal

personally identifiable
information does not
17
include publicly available information that is lawfully made available to the general public from
18
federal, state, or local government records.
19
(c) For purposes of this chapter, “notice” may be provided by one of the following methods:
20
(1) Written notice;
21
(2) Electronic notice, if the notice provided is consistent with the provisions regarding
22
electronic records and signatures set forth in 15 U.S.C. § 7001; or
23
(3) Substitute notice, if the municipal agency, state agency, or person demonstrates that the
24
cost of providing notice would exceed twenty-five thousand dollars ($25,000), or that the affected
25
class of subject persons to be notified exceeds fifty thousand (50,000), or the municipal agency,
26
state agency, or person does not have sufficient contact information. Substitute notice shall consist
27
of all of the following:
28
(i) E-mail notice when the municipal agency, state agency, or person has an e-mail address
29
for the subject persons;
30
(ii) Conspicuous posting of the notice on the municipal agency’s, state agency’s, or
31
person’s website page, if the municipal agency, state agency, or person maintains one; and
32
(iii) Notification to major statewide media.
33

11-49.3-4. Notification of breach.
34
(a)(1) Any municipal agency, state agency, or person who or that stores, owns, collects,

LC004835/SUB A/2 - Page 4 of 9
1
processes, maintains, acquires, uses, or licenses data that includes
personal

personally identifiable

2
information shall provide notification as set forth in this section of any disclosure of
personal

3
personally identifiable
information, or any breach of the security of the system, that poses a
4
significant risk of identity theft to any resident of Rhode Island whose
personal

personally
5
identifiable
information was, or is reasonably believed to have been, acquired by an unauthorized
6
person or entity.
7
(2) The notification shall be made in the most expedient time possible, subject to the
8
following:
9
(i) For state and municipal agencies, no later than thirty (30) calendar days after
10
confirmation of the breach and the ability to ascertain the information required to fulfill the notice
11
requirements contained in subsection (d), and shall be consistent with the legitimate needs of law
12
enforcement as provided in subsection (b). In the event that more than five hundred (500) Rhode
13
Island residents are to be notified, the municipal agency or state agency shall notify the attorney
14
general and the major credit reporting agencies as to the timing, content, and distribution of the
15
notices and the approximate number of affected individuals. Notification to the attorney general
,
16
the division of enterprise technology strategy and services (ETSS) or successor state agency or
17
successor to the chief digital officer
and the major credit reporting agencies shall be made without
18
delaying notice to affected Rhode Island residents. Where affected employees are represented by a
19
labor union through a collective bargaining agreement, the employer shall also notify the collective
20
bargaining agent, or designee, of such breaches.
21
(ii) For persons subject to subsection (a)(1), which is not a state or municipal agency, no
22
later than forty-five (45) calendar days after confirmation of the breach and the ability to ascertain
23
the information required to fulfill the notice requirements contained in subsection (d), and shall be
24
consistent with the legitimate needs of law enforcement as provided in subsection (b). In the event
25
that more than five hundred (500) Rhode Island residents are to be notified, the person shall notify
26
the attorney general and the major credit reporting agencies as to the timing, content, and
27
distribution of the notices and the approximate number of affected individuals. Notification to the
28
attorney general
, the division of enterprise technology strategy and services (ETSS) or successor
29
state agency or successor to the chief digital officer
and the major credit reporting agencies shall
30
be made without delaying notice to affected Rhode Island residents.
31
(b) The notification required by this section may be delayed if a federal, state, or local law
32
enforcement agency determines that the notification will impede a criminal investigation. The
33
federal, state, or local law enforcement agency must notify the municipal agency, state agency, or
34
person of the request to delay notification without unreasonable delay. If notice is delayed due to

LC004835/SUB A/2 - Page 5 of 9
1
such determination, then, as soon as the federal, state, or municipal law enforcement agency
2
determines and informs the municipal agency, state agency, or person that notification no longer
3
poses a risk of impeding an investigation, notice shall be provided as soon as practicable pursuant
4
to subsection (a)(2). The municipal agency, state agency, or person shall cooperate with federal,
5
state, or municipal law enforcement in its investigation of any breach of security or unauthorized
6
acquisition or use, which shall include the sharing of information relevant to the incident; provided
7
however, that such disclosure shall not require the disclosure of confidential business information
8
or trade secrets.
9
(c) Any municipal agency, state agency, or person required to make notification under this
10
section and fails to do so is liable for a violation as set forth in § 11-49.3-5.
11
(d) The notification to individuals must include the following information to the extent
12
known:
13
(1) A general and brief description of the incident, including how the security breach
14
occurred and the number of affected individuals;
15
(2) The type of information that was subject to the breach;
16
(3) Date of breach, estimated date of breach, or the date range within which the breach
17
occurred;
18
(4) Date that the breach was discovered;
19
(5) A clear and concise description of any remediation services offered to affected
20
individuals including toll free numbers and websites to contact:
21
(i) The credit reporting agencies;
22
(ii) Remediation service providers;
23
(iii) The attorney general
, the division of enterprise technology strategy and services
24
(ETSS) or successor state agency or successor to the chief digital officer
; and
25
(6) A clear and concise description of the consumer’s ability to file or obtain a police report;
26
how a consumer requests a security freeze and the necessary information to be provided when
27
requesting the security freeze; and that fees may be required to be paid to the consumer reporting
28
agencies.
29
(e) For state and municipal agencies remediation services to be provided and to be
30
described pursuant to the provisions of subsection (d)(5) of this section shall include, but not be
31
limited to:
32
(1) Individuals eighteen (18) years of age and older, a minimum of five (5) years of
33
coverage; and
34
(2) Individuals under eighteen (18) years of age, coverage until age eighteen (18), and no

LC004835/SUB A/2 - Page 6 of 9
1
less than two (2) years of coverage beyond age eighteen (18).
2

11-49.3-5. Penalties for violation.
3
(a) Each reckless violation of this chapter is a civil violation for which a penalty of not
4
more than one hundred dollars ($100) per record may be adjudged against a defendant.
5
(b) Each knowing and willful violation of this chapter is a civil violation for which a penalty
6
of not more than two hundred dollars ($200) per record may be adjudged against a defendant.
7
(c) Whenever the attorney general has reason to believe that a violation of this chapter has
8
occurred and that proceedings would be in the public interest, the attorney general may bring an
9
action in the name of the state against the business or person in violation.
10

(d) In addition to the penalties listed in this section, courts may impose additional
11
appropriate sanctions as warranted by the circumstances.
12

11-49.3-6. Agencies or persons with security breach procedures.
13
(a) Any municipal agency, state agency, or person shall be deemed to be in compliance
14
with the security breach notification requirements of § 11-49.3-4 if:
15
(1) The municipal agency, state agency, or person maintains its own security breach
16
procedures as part of an information security
policy

program that meets or exceeds the requirements
17
of this chapter
for the treatment of
personal

personally identifiable
information and
at a minimum,
18
adheres to the timing and notification

otherwise complies with the timing
requirements of § 11-
19
49.3-4
, and notifies subject persons in accordance with such municipal agency’s, state agency’s, or
20
person’s notification policies in the event of a breach of security
; or
21
(2) The person maintains a security breach procedure pursuant to the rules, regulations,
22
procedures, or guidelines established by the
primary or

applicable federal
functional regulator, as
23
defined in 15 U.S.C. § 6809(2), and notifies subject persons in accordance with the policies or the
24
rules, regulations, procedures, or guidelines established by the
primary or

applicable federal

25
functional regulator in the event of a breach of security of the system.
26
(b) A financial institution, trust company, credit union, or its affiliates that is subject to and
27
examined for, and found in compliance with, the Federal Interagency Guidelines on Response
28
Programs for Unauthorized Access to Customer Information and Customer Notice shall be deemed
29
in compliance with this chapter.
30
(c) A provider of health care, healthcare service plan, health insurer, or a covered entity
31
governed by the medical privacy and security rules issued by the federal Department of Health and
32
Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established
33
pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) shall be
34
deemed in compliance with this chapter.

LC004835/SUB A/2 - Page 7 of 9
1

(d) Nothing contained in this chapter shall impair compliance with any applicable federal
2
law, regulation, guidance, or safeguarding requirement relating to federal tax information,
3
including Internal Revenue Service Publication 1075.
4

11-49.3-7. Notification of cybersecurity incident.
5
(a) Any municipal agency or state agency that detects a cybersecurity incident shall provide
6
notification to the Rhode Island state police upon detection of the cybersecurity incident within
7
twenty-four (24) hours.
The state police shall notify the division of enterprise technology strategy
8
and services (ETSS) or successor state agency or successor to the chief digital officer within
9
twenty-four (24) hours, or the next business day, of initial notification.
10
(b) Any municipal agency or state agency required to make notification under this section
11
and fails to do so may be liable for a violation as set forth in § 11-49.3-5.
12
(c) The notification shall include, at a minimum, the following information to the extent
13
known:
14
(1) A general and brief description of the incident, including how the cybersecurity incident
15
occurred;
and

16
(2) The date of the cybersecurity incident, estimated date of the cybersecurity incident, or
17
the date range within which the cybersecurity incident occurred
.
;
18

(3) Any mitigating actions taken; and
19

(4) Any notifications to regulatory or federal entities.
20
SECTION 2. This act shall take effect on July 1, 2027.
========
LC004835/SUB A/2
========

LC004835/SUB A/2 - Page 8 of 9
EXPLANATION
BY THE LEGISLATIVE COUNCIL
OF
A N A C T
RELATING TO CRIMINAL OFFENSES -- IDENTITY THEFT PROTECTION ACT OF 2015
***
1
This act would amend the Identity Theft Protection Act of 2015. The act would eliminate
2
the definitions for "classified data" and "personal information" and establish a definition for
3
"personally identifiable information". This act would also add division of enterprise technology
4
strategy and services (ETSS) or successor state agency, or successor to the chief digital officer to
5
notification requirement provisions of the chapter. This act would raise the penalty provisions for
6
violations.
7
This act would take effect on July 1, 2027.
========
LC004835/SUB A/2
========

LC004835/SUB A/2 - Page 9 of 9