Current through Register Vol. 49, No. 2, February 2024
Section
1.
Preamble
A. This
regulation establishes standards for developing and implementing
administrative, technical and physical safeguards to protect the security,
confidentiality and integrity of customer information, pursuant to Sections
501, 505(b), and 507 of the Gramm-Leach-Bliley Act, codified at
15 U.S.C.
6801,
6805(b) and
6807.
B. Section 501(a) provides that it is the
policy of the Congress that each financial institution has an affirmative and
continuing obligation to respect the privacy of its customers and to protect
the security and confidentiality of those customers' nonpublic personal
information. Section 501(b) requires the state insurance regulatory authorities
to establish appropriate standards relating to administrative, technical and
physical safeguards:
(1) to ensure the
security and confidentiality of customer records and information;
(2) to protect against any anticipated
threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to
or use of records or information that could result in substantial harm or
inconvenience to a customer.
C. Section 505(b)(2) calls on state insurance
regulatory authorities to implement the standards prescribed under Section
501(b) by regulation with respect to persons engaged in providing
insurance.
D. Section 507 provides,
among other things, that a state regulation may afford persons greater privacy
protections than those provided by subtitle A of Title V of the
Gramm-Leach-Bliley Act. This regulation requires that the safeguards
established pursuant to this regulation shall apply to nonpublic personal
information, including nonpublic personal financial information and nonpublic
personal health information, about customers and nonpublic personal information
contained on applications for an insurance product submitted to a licensee by a
consumer, regardless of whether the insurance product is ultimately purchased
by the consumer.
Section
2.
Authority
This regulation is promulgated pursuant to the authority granted
by Sections
23-61-108,
23-61-113,
23-66-207,
25-15-203 -204 of the Arkansas
Code Annotated, and other applicable laws or rules.
Section 3.
Definitions
For purposes of this regulation, the following definitions
apply:
A. "Customer" means a customer
as defined in Section 4I of Rule and Regulation 74.
B. "Customer information" means nonpublic
personal information, as defined in Section 4S of Rule and Regulation 74, about
a customer, whether in paper, electronic or other form, that is maintained by
or on behalf of the licensee. For purposes of this regulation, customer
information shall also include nonpublic personal information contained in
applications for an insurance product submitted to a licensee by a consumer, as
defined in Section 4F of Rule and Regulation 74, regardless of whether the
insurance product is ultimately purchased by the consumer.
C. "Customer information systems" means the
electronic or physical methods used to access, collect, store, use, transmit,
protect or dispose of customer information.
D. "Licensee" means a licensee as that term
is defined in Section 4Q of Rule and Regulation 74, except that "licensee"
shall not include: a purchasing group; or an unauthorized insurer in regard to
the excess line business conducted pursuant to Ark. Code Ann. §§
23-65-301, et
seq.
E.. "Service
provider" means a person that maintains, processes or otherwise is permitted
access to customer information through its provision of services directly to
the licensee.
Section 4.
Information Security Program
Each licensee shall implement a comprehensive written information
security program that includes administrative, technical and physical
safeguards for the protection of customer information. The administrative,
technical and physical safeguards included in the information security program
shall be appropriate to the size and complexity of the licensee and the nature
and scope of its activities.
Section
5.
Objectives of Information Security Program
A licensee's information security program shall be designed
to:
A. Ensure the security and
confidentiality of customer information;
B. Protect against any anticipated threats or
hazards to the security or integrity of the information; and
C. Protect against unauthorized access to or
use of the information that could result in substantial harm or inconvenience
to any customer.
Section
6.
Examples of Methods of Development and
Implementation
The actions and procedures described in Sections 7 through 10 of
this regulation are examples of methods of implementation of the requirements
of Sections 4 and 5 of this regulation. These examples are non-exclusive
illustrations of actions and procedures that licensees may follow to implement
Sections 4 and 5 of this regulation.
Section 7.
Assess Risk
The licensee:
A.
Identifies reasonably foreseeable internal or external threats that could
result in unauthorized disclosure, misuse, alteration or destruction of
customer information or customer information systems;
B. Assesses the likelihood and potential
damage of these threats, taking into consideration the sensitivity of customer
information; and
C. Assesses the
sufficiency of policies, procedures, customer information systems and other
safeguards in place to control risks.
Section 8.
Manage and Control
Risk
The licensee:
A. Designs
its information security program to control the identified risks, commensurate
with the sensitivity of the information, as well as the complexity and scope of
the licensee's activities;
B.
Trains staff, as appropriate, to implement the licensee's information security
program; and
C. Regularly tests or
otherwise regularly monitors the key controls, systems and procedures of the
information security program. The frequency and nature of these tests or other
monitoring practices are determined by the licensee's risk
assessment.
Section 9.
Oversee Service Provider Arrangements
The licensee:
A.
Exercises appropriate due diligence in selecting its service providers;
and
B. Requires its service
providers to implement appropriate measures designed to meet the objectives of
this regulation.
Section
10.
Adjust the Program
The licensee monitors, evaluates and adjusts, as appropriate, the
information security program in light of any relevant changes in technology,
the sensitivity of its customer information, internal or external threats to
information, and the licensee's own changing business arrangements, such as
mergers and acquisitions, alliances and joint ventures, outsourcing
arrangements and changes to customer information systems.
Section 11.
Determined Violation
A violation of this regulation shall be deemed to be an unfair
method of competition or an unfair or deceptive act and practice in this state,
in violation of Ark. Code Ann. §
23-66-201, et
seq.
Section 12.
Effective Date
This regulation shall be effective on September 20, 2002.
Section 13.
Compliance
Date
Each licensee shall establish and implement an information
security program, including appropriate policies and systems pursuant to this
regulation by January 1, 2003.
__(Signed by mike Pickens)______________
MIKE PICKENS
COMMISSIONER
__(Signed 9/6/2002)____________________
DATE