Kentucky Administrative Regulations
Title 806 - PUBLIC PROTECTION CABINET - DEPARTMENT OF INSURANCE
Chapter 3 - Authorization of Insurers and General Requirements
Section 806 KAR 3:230 - Standards for safeguarding customer information
Current through Register Vol. 50, No. 9, March 1, 2024
RELATES TO: KRS 304.12-010, 304.12-130, 304.99-020, 15 U.S.C. 6801, 6805(b), 6807
NECESSITY, FUNCTION, AND CONFORMITY: KRS 304.2-110(1) authorizes the commissioner to promulgate reasonable administrative regulations necessary for or as an aid to the effectuation of any provision of the Kentucky Insurance Code. The Gramm-Leach-Bliley Act codified in 15 U.S.C. 6801(b) requires the state insurance regulatory authorities to establish appropriate standards relating to administrative, technical, and physical safeguards:
(1) to ensure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of these records; and
(3) to protect against unauthorized access to or use of records or information that could result in substantial harm or inconvenience to a customer. This administrative regulation establishes the appropriate standards for licensees of the Department of Insurance to safeguard customer information.
Section 1. Definitions.
Section 2. Information Security Program. Each licensee shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.
Section 3. Objectives of Information Security Program. A licensee's information security program shall be designed to:
Section 4. Determined Violation. A violation of this administrative regulation may constitute an unfair trade practice in the business of insurance and shall subject the licensee to a civil penalty authorized by KRS 304.99-020.
STATUTORY AUTHORITY: KRS 304.2-110(1), 15 U.S.C. 6801(b)