The Utah Insurance Department adopted amendments to R590-216, Standards for Safeguarding Customer Information. The amendments went into effect June 9.
The amended rule states, “The purpose of this rule is to establish standards to assist a licensee in developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information under the Gramm-Leach-Bliley Act.”
It applies to a licensee of the department that obtains any nonpublic information from a customer, including nonpublic personal financial information; or nonpublic personal health information.
Licensees are required to implement a comprehensive written information security program including administrative, technical, and physical safeguards to protect customer information. The administrative, technical, and physical safeguards included in the program must be appropriate to the size and complexity of the licensee and the nature and scope of its activities.
Among other things, it states that for the purposes of risk management and control, a licensee may:
- Design its information security program to control the identified risks, consistent with the sensitivity of the information, as well as the complexity and scope of the licensee’s activities;
- Train staff to implement the licensee’s information security program; and
- Regularly test or otherwise monitor the key controls, systems and procedures of the information security program, the frequency and nature of which shall be determined by the licensee’s risk assessment.
For the purposes of program adjustment, a licensee may monitor, evaluate, and adjust the information security program considering:
- Any relevant change in technology;
- The sensitivity of its customer information;
- Any internal or external threat to information; and
- The licensee’s changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.
The amended rule notes these are examples of implementation methods, and licensees may adopt other actions or procedures to implement Sections R590-216-4 and R590-216-5.