Florida Administrative Code
69 - DEPARTMENT OF FINANCIAL SERVICES
69O - OIR - Insurance Regulation
Chapter 69O-128 - PRIVACY OF CONSUMER FINANCIAL AND HEALTH INFORMATION
Section 69O-128.034 - Examples of Methods of Development and Implementation

Universal Citation: FL Admin Code R 69O-128.034

Current through Reg. 50, No. 187; September 24, 2024

The following actions and procedures are examples of methods of implementation of the requirements of Rules 69O-128.032 and 69O-128.033, F.A.C. These examples are non-exclusive illustrations of actions and procedures that licensees may follow to implement Rules 69O-128.032 and 69O-128.033, F.A.C.

(1) Assess Risk. The licensee:

(a) Identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration, transmission, or destruction of customer information or customer information systems;

(b) Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and,

(c) Assesses the sufficiency of policies, procedures, customer information systems, and other safeguards in place to control risks.

(2) Manage and Control Risk. The licensee:

(a) Designs its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the licensee's activities;

(b) Trains staff as appropriate to implement the licensee's information security program; and,

(c) Regularly tests or otherwise regularly monitors the key controls, systems, and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment.

(3) Oversee Service Provider Arrangements. The licensee:

(a) Exercises appropriate due diligence in selecting its service providers; and,

(b) Requires its service providers to implement appropriate measures designed to meet the objectives of this rule; and, where indicated by the licensee's risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.

(4) Adjust the Program. The licensee monitors, evaluates, and adjusts as appropriate the information security program in light of any relevant changes in:

(a) Technology;

(b) The sensitivity of its customer information;

(c) The volume of its customer information;

(d) Internal or external threats to information; and,

(e) The licensee's own changing business arrangements, such as:
1. Mergers and acquisitions;

2. Alliances and joint ventures;

3. Outsourcing arrangements; and,

4. Changes to customer information systems.

Rulemaking Authority 624.308(1), 626.9651 FS. Law Implemented 624.307(1), 626.9651 FS.

New 12-8-02, Formerly 4-128.034.

Disclaimer: These regulations may not be the most recent version. Florida may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.