A 2024 data breach of Rhode Island’s online portal for social services has prompted a local lawmaker to introduce a bill to modernize cybersecurity laws.
Doing so will better protect the personally identifiable information of Rhode Islanders, state Sen. Victoria Gu and state Rep. Lauren H. Carson say.
“In the wake of the RIBridges cyberattack, it’s important to set clear expectations that state agencies, municipalities and companies should be meeting current best practices of an industry-recognized cybersecurity framework, such as NIST Cybersecurity Framework, to protect the personally identifiable information of Rhode Islanders,” said Gu (D-Dist. 38, Westerly, Charlestown, South Kingstown), who chairs the Senate Committee on Artificial Intelligence and Emerging Technologies. “Our current laws governing the protection of this information need updating to match the reality of our increasingly digital world and its threats.”
The December 2024 breach of RIBridges affected around 650,000 people in total, releasing Social Security numbers, employment details, financial data and other personal information to the dark web. Gu and Carson saw this as a clear sign that Rhode Island needed to update its cybersecurity standards.
“As our lives become increasingly digital, it is no surprise that identity theft is one of the fastest growing cybercrimes,” said Representative Carson (D-Dist. 75, Newport). “We are no strangers to large data breaches here in Rhode Island, and many of us were asked to take steps to protect ourselves after the RIBridges attack. But just asking residents to protect themselves is insufficient. Especially as AI and related technologies grow in capability and popularity, we as legislators need to take serious steps to make sure Rhode Islanders are protected. It is time to update our identity theft protections, which have seen minimal changes over the last decade — an eternity considering how technology and our digital lives have changed since 2015.”
The bill (2026-S 2638, 2026-H 7509) would amend the Identity Theft Protection Act of 2015 to modernize its requirements and definitions. It would change references to protecting “personal information” in the law to “personally identifiable information,” a more expansive term that includes all information that can be used to reveal a person’s identity.
Entities that handle this information are already required to maintain a risk-based information security program, and the bill clarifies that this program must meet current best practices as outlined in an industry recognized cybersecurity framework, with controls to restrict and manage access to the data.
“It is essential to have clear safeguards that protect the personal information of Rhode Islanders,” AARP R.I. State Director Catherine Taylor said. “Many of us manage sensitive financial, medical and digital records, and when those details fall into the wrong hands, it can disrupt not only our finances but our sense of security. Strengthening practices that help keep Rhode Islanders’ information safe gives older adults the confidence to stay engaged, connected and independent in an increasingly digital world.”
The bill would maintain the existing penalties in law for “reckless” or “knowing and willful violations,” but adds an additional tool to allow courts to impose additional sanctions if the circumstances of a violation warrant it.
The bill would also update the reporting requirements of state agencies, municipalities and companies when a breach has occurred to include timely notification to the Rhode Island Division of Enterprise Technology Strategy and Services (ETSS).
ETSS is the Rhode Island agency responsible for oversight, coordination and development of all IT staff and resources within the executive branch of government. It works to standardize the state’s ongoing investments in software, networks and cybersecurity.
Gu and Carson sponsored similar legislation last year. This year’s version incorporates feedback gained from experts and the business community during last year’s committee process.
Cybercrime losses topped $16 billion nationwide in 2024 — a 33% increase from 2023. According to the FBI’s Boston Division, which covers Maine, Massachusetts, New Hampshire and Rhode Island, New Englanders reported total losses to cybercrime in 2024 of $446.7 million, with common victims including senior citizens and small businesses.
Gu and Carson say that by increasing data safety standards, the bill helps to protect both individuals and small businesses from losses from scams, fraud and ransomware.
Click Here For The Original Source.
