Missouri Code of State Regulations
Title 20 - DEPARTMENT OF COMMERCE AND INSURANCE
Division 100 - Insurer Conduct
Chapter 6 - Privacy of Consumer Information
Section 20 CSR 100-6.110 - Standards for Safeguarding Customer Information
Current through Register Vol. 49, No. 6, March 15, 2024
PURPOSE: This rule establishes standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information, pursuant to sections 501, 505(b), and 507 of the Gramm-Leach-Bliley Act, codified at 15 U.S.C. 6801, 6805(b), and 6807, and as authorized by section 362.422, RSMo Supp. 2001. This rule requires that the safeguards established pursuant to this rule shall apply to nonpublic personal information and nonpublic personal financial information.
(1) Definitions. For purposes of this rule, the following definitions apply:
(2) Information Security Program. Each licensee shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.
(3) Objectives of Information Security Program. A licensee's information security program shall be designed to:
(4) Examples of Methods of Development and Implementation. The actions and procedures described in sections (5) through (8) of this regulation are examples of methods of implementation of the requirements of sections (2) and (3) of this regulation. These examples are non-exclusive illustrations of actions and procedures that licensees may follow to implement sections (2) and (3) of this regulation.
(5) Assess Risk. The licensee:
(6) Manage and Control Risk. The licensee:
(7) Oversee Service Provider Arrangements. The licensee:
(8) Adjust the Program. The licensee evaluates and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangement, and changes to customer information systems.
(9) Compliance Date. Each licensee shall establish and implement an information security program, including appropriate policies and systems pursuant to this regulation by June 1, 2003.
*Original authority: 362.422, RSMo 2001; 374.045, RSMo 1967, amended 1993, 1995; 375.948, RSMo 1959, amended 1978, 1991; and 536.016, RSMo 1997, amended 1999.