Rhode Island Lawmakers Introduce Bill to Modernize Cybersecurity Protections After RIBridges Breach

What happened

A new Rhode Island bill would update state cybersecurity and identity theft protections after the 2024 RIBridges breach exposed sensitive information belonging to around 650,000 people. State Sen. Victoria Gu and state Rep. Lauren H. Carson introduced the measure to modernize the Identity Theft Protection Act of 2015 and align security requirements with current industry-recognized frameworks such as the NIST Cybersecurity Framework. The proposal would replace references to “personal information” with the broader term “personally identifiable information” and clarify that entities handling that data must maintain a risk-based information security program using current best practices. It would also update breach reporting obligations by requiring timely notification to the Rhode Island Division of Enterprise Technology Strategy and Services when incidents occur.

Who is affected

The direct impact falls on Rhode Island state agencies, municipalities, companies, and other entities that handle personally identifiable information. Rhode Islanders whose data is collected and stored by those organizations would also be affected through stronger requirements for data protection, access controls, and breach reporting.

Why CISOs should care

This bill matters because it reflects a legislative push to tie data protection obligations more directly to current cybersecurity frameworks and broader definitions of identity-related information. It also signals growing pressure on organizations to show that their security programs, access controls, and reporting processes match current threats rather than older statutory standards.

3 practical actions

1. Review whether your security program matches current frameworks: Confirm that risk-based security controls align with current industry-recognized standards rather than older internal baselines.
2. Reassess how identity-related data is defined and handled: Make sure governance, classification, and protection practices cover the broader category of personally identifiable information, not just narrower legacy definitions.
3. Prepare for faster state-level reporting requirements: Ensure breach response plans can support timely notification to the appropriate state technology authority if similar reporting obligations are enacted.

For more news about government efforts to strengthen cyber protections and data security requirements, click Cybersecurity to read more.