§ 19-14-36. Notification of a security event.
(a) Each licensee shall notify the director or the director’s designee as promptly as possible, but in no event later than three (3) business days from a determination that a security event has occurred when either of the following criteria has been met:
(1) A security event impacting the licensee of which notice is required to be provided to any governmental body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or
(2) A security event that has a reasonable likelihood of materially harming;
(i) Any consumer residing in this state; or
(ii) Any material part of the normal operation(s) of the licensee.
(b) The licensee shall provide any information required by this section in electronic form as directed by the director or the director’s designee. The licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the director or the director’s designee concerning the security event. The following information shall be provided:
(1) The name and contact information of the reporting licensee;
(2) A description of the types of information that were involved in the notification event;
(3) If the information is possible to determine, the date or date range of the notification event;
(4) The total number of consumers in this state affected or potentially affected by the notification event. The licensee shall provide the best estimate in the initial report to the director or the director’s designee and update this estimate with each subsequent report;
(5) A general description of the notification event including how the information was exposed, lost, stolen, or breached, detailing specific roles and responsibilities of third-party service providers, if any;
(6) A description of efforts being undertaken to remediate the situation that permitted the security event to occur; and
(7) Whether any law enforcement official has provided the licensee with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the director or the director’s designee to contact the law enforcement official. A law enforcement official may request an initial delay of up to thirty (30) days following the date when notice was provided to the director or the director’s designee. The delay may be extended for an additional period of up to sixty (60) days if the law enforcement official seeks such an extension in writing. Additional delay may be permitted only if the director or the director’s designee determines that public disclosure of a security event continues to impede a criminal investigation or cause damage to national security.
(8) Name of contact person who is both familiar with the security event and is authorized to act for the licensee.
(c) A licensee shall comply with chapter 49.3 of title 11, as applicable, and provide a copy of the notice sent to consumers under that chapter to the director or the director’s designee, when a licensee is required to notify the director or the director’s designee.
(d) The provisions of this section shall not apply to any regulated institution as defined in § 19-1-1, or subsidiary of such regulated institution, or any bank holding company or subsidiary of a bank holding company subject to federal bank holding company laws and regulations.
History of Section.
P.L. 2025, ch. 424, § 2, effective July 2, 2025; P.L. 2025, ch. 425, § 2, effective
July 2, 2025.