Utah Administrative Code
Topic - Insurance
Title R590 - Administration
Rule R590-216 - Standards for Safeguarding Customer Information
Section R590-216-6 - Methods of Development and Implementation
Universal Citation: UT Admin Code R 590-216-6
Current through Bulletin 2024-06, March 15, 2024
(1) For purposes of risk assessment, a licensee may:
(a) identify reasonably
foreseeable internal or external threats that could result in unauthorized
disclosure, misuse, alteration, or destruction of customer information or
customer information systems;
(b)
assess the likelihood and potential damage of these threats, taking into
consideration the sensitivity of customer information; and
(c) assess the sufficiency of policies,
procedures, customer information systems, and other safeguards in place to
control risks.
(2) For purposes of risk management and control, a licensee may:
(a) design its information security program
to control the identified risks, consistent with the sensitivity of the
information, as well as the complexity and scope of the licensee's
activities;
(b) train staff to
implement the licensee's information security program; and
(c) regularly test or otherwise monitor the
key controls, systems, and procedures of the information security program, the
frequency and nature of which shall be determined by the licensee's risk
assessment.
(3) For purposes of service provider arrangement oversight, a licensee may:
(a) exercise due diligence in selecting its
service providers; and
(b) require
its service providers to implement appropriate measures designed to meet the
objectives of this rule, and, where indicated by the licensee's risk
assessment, take appropriate steps to confirm that its service providers have
satisfied these obligations.
(4) For purposes of program adjustment, a licensee may monitor, evaluate, and adjust the information security program considering:
(a) any relevant change in
technology;
(b) the sensitivity of
its customer information;
(c) any
internal or external threat to information; and
(d) the licensee's changing business
arrangements, such as mergers and acquisitions, alliances and joint ventures,
outsourcing arrangements, and changes to customer information
systems.
(5) Subsections (1) through (4) are examples of implementation methods. A licensee may adopt other actions or procedures to implement Sections R590-216-4 and R590-216-5.
Disclaimer: These regulations may not be the most recent version. Utah may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.