Current through Bulletin 2024-06, March 15, 2024
(1) The provider
shall maintain the following client records:
(a) documentation of each ignition interlock
system activity provided to a client which include:
(i) the client's:
(A) full legal name;
(B) date of birth;
(C) driver license number and state of
issuance; and
(D) license plate
number and state of issuance;
(ii) the type of service provided;
(iii) the exact date the service was
performed;
(iv) the name of the
installer who performed each service; and
(v) the name of the manufacturer and system
serial number for the:
(A) relay;
and
(B) handset;
(b) original copies of
client contracts;
(c) client
responsibility forms;
(d) original
copies of receipts and invoices;
(e) installation reports; and
(f) certificates of calibration with serial
numbers of the:
(i) relay; and
(ii) handset.
(2) The provider shall:
(a) store any client records in a location
accessible to the division during normal business hours; and
(b) store active client records in a single
location in the service center.
(3) The provider may store inactive client
records in a single offsite storage location after one year has elapsed since
the system was removed.
(4) The
provider shall maintain client records for a period of four years after the
contractual obligation with the client has concluded.
(5) Each provider shall review the records of
the business every six months for completeness and accuracy.
(6) The provider shall immediately file an
affidavit with the division if any records the business is required to maintain
are lost or destroyed which states:
(a) the
date the record was lost or destroyed;
(b) the circumstances surrounding the loss or
destruction;
(c) the effect the
loss may have on clients or the business's ability to fulfill requirements
under this rule; and
(d) a
description of the contents of the records lost or destroyed.
(7) In the event of a breach of
data security, the provider shall:
(a) notify
the division immediately after becoming aware of a breach of data
security;
(b) cooperate with the
state regarding recovery of data, remediation; and involvement of law
enforcement;
(c) bear the cost of
notifying everyone whose personal information may have been
compromised;
(d) notify those
individuals whose personal information may have been compromised in accordance
with Title 13, Chapter 44, Protection of Personal Information Act;
(e) perform an analysis to determine the
cause of the breach;
(f) produce a
remediation plan to reduce the risk of incurring a similar type of breach in
the future; and
(g) present the
analysis and remediation plan to the division within ten days of notifying the
division of the breach of data security.
(8)
(a) The
division has the right to adjust the plan under Subsection (6)(f), at its sole
discretion.
(b) If the provider
cannot produce the required analysis and plan under Subsection (6)(f) within
the allotted time, the state, in its sole discretion, may perform an analysis
and produce a remediation plan that the provider shall comply with, at the
provider's sole cost.
(9)
The provider shall:
(a) ensure any client
records, state records, and information remain confidential at all times;
and
(b) comply with state and
federal laws, rules, and regulations concerning the confidentiality of
information.