Compilation of Rules and Regulations of the State of Georgia
Department 80 - RULES OF DEPARTMENT OF BANKING AND FINANCE
Chapter 80-12 - MERCHANT ACQUIRER LIMITED PURPOSE BANKS
Subject 80-12-7 - SOLVENCY AND SAFEGUARDS
Rule 80-12-7-.04 - Data Breach Insurance Coverage
Current through Rules and Regulations filed through March 20, 2024
(1) Every MALPB shall obtain data breach insurance coverage to provide protection and indemnity against the release of nonpublic confidential information in the legal care, custody or control of the MALPB to an untrusted or unauthorized environment or other similar action by the MALPB as well as agents and independent contractors of the MALPB, which includes, but is not limited to, employees of eligible organizations, support organizations, holding companies, and affiliates.
(2) The data breach insurance coverage shall contain a provision that coverage will not be canceled, or not renewed, or allowed to lapse for any reason until at least sixty (60) days prior written notice has been given by the insurer to the Department. A certificate of insurance or similar documentation showing such data breach insurance coverage to be in force shall be provided to the Department prior to the MALPB engaging in any merchant acquiring activities. The data breach insurance coverage shall be obtained from an insurance company licensed to do business in Georgia that continuously maintains an A.M. Best Company rating of at least A: VII while the policy is in effect. Such data breach insurance coverage shall continuously remain in full force and effect subject to Department approved revisions to the amount of coverage.
(3) The amount of the initial data breach insurance coverage obtained by the MALPB, as well as any subsequent amendments to the amount, shall be approved by the Department in writing prior to the MALPB obtaining the data breach insurance coverage or revising the amount of coverage. It shall be in the Commissioner's sole discretion to determine the amount of required data breach insurance coverage.
(4) In order for the Department to make the determination in Paragraph 3 of this Rule related to the appropriate amount of data breach insurance coverage, an MALPB, upon request by the Department, shall provide the Department with a written justification setting forth the MALPB's rationale for the appropriate and necessary amount of data breach insurance coverage. Such justification shall set forth in detail the safeguards or protections which will be employed to mitigate the risks of an intentional or unintentional release of the data in the MALPB's possession or in the possession of agents and independent contractors of the MALPB, which shall include, but not be limited to, an evaluation of potential exposures under various stress scenarios that include intentional and unintentional releases of data in the MALPB's control environment and the sufficiency of the proposed data breach insurance coverage to mitigate such exposures. In addition, the MALPB's justification for the proposed proper amount of data breach insurance coverage shall evaluate the potential costs to the MALPB as a result of a breach, which shall include, but not be limited to, forensic costs, legal fees, first party and third party liabilities, notification requirements, remediation costs, restoration costs, and business impact.
O.C.G.A. §§ 7-9-3, 7-9-13.
