Loading chat...

RI H7509

Bill

Official Source

Status

Introduced

2/4/2026

Primary Sponsor

Lauren Carson

Click for details

Origin

House of Representatives

2026 Regular Session

AI Summary

  • Replaces the narrower definition of "personal information" with a broader "personally identifiable information" (PII) definition that includes direct and indirect identifiers, biometric data, and internet data, and eliminates the separate "classified data" definition
  • Requires information security programs to meet current best practices of an approved, industry-recognized cybersecurity framework, with controls for data in transit and at rest, and mandates data destruction follow recognized sanitization and destruction guidelines
  • Adds the Division of Enterprise Technology Strategy and Services (ETSS) or successor agency to breach and cybersecurity incident notification requirements, and requires municipal and state agencies to provide annual security updates to the General Assembly and ETSS
  • Expands cybersecurity incident notification requirements to include mitigating actions taken and any notifications made to regulatory or federal entities, and allows courts to impose additional sanctions beyond existing per-record penalties ($100 for reckless violations, $200 for knowing/willful violations)
  • Requires third-party contracts to extend security obligations to sub-contracted parties and mandates compliance with industry-recognized cybersecurity frameworks; effective July 1, 2026

Legislative Description

Amends the Identity Theft Protection Act by eliminating current definitions and establishing new definitions. This act also raises the penalty provisions for violations.

Criminal Offenses

Last Action

Committee recommended measure be held for further study

3/10/2026

Committee Referrals

Judiciary2/4/2026

Full Bill Text

No bill text available