As used in this chapter, unless the context otherwise requires:
1.“Authorized individual” means an individual known to and screened by a licensee and
determined to be necessary and appropriate to have access to nonpublic information held by
the licensee and the licensee’s information system.
2.“Commissioner” means the commissioner of insurance.
3.“Consumer” means an individual, including but not limited to an applicant,
policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of this
state and whose nonpublic information is in a licensee’s possession, custody, or control.
4.“Cybersecurity event” means an event resulting in unauthorized access to, or the
disruption or misuse of, an information system or of nonpublic information stored on an
information syst
Free access — add to your briefcase to read the full text and ask questions with AI
As used in this chapter, unless the context otherwise requires:
1. “Authorized individual” means an individual known to and screened by a licensee and
determined to be necessary and appropriate to have access to nonpublic information held by
the licensee and the licensee’s information system.
2. “Commissioner” means the commissioner of insurance.
3. “Consumer” means an individual, including but not limited to an applicant,
policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of this
state and whose nonpublic information is in a licensee’s possession, custody, or control.
4. “Cybersecurity event” means an event resulting in unauthorized access to, or the
disruption or misuse of, an information system or of nonpublic information stored on an
information system. “Cybersecurity event” does not include any of the following:
a. The unauthorized acquisition of encrypted nonpublic information if the encryption,
process, or key is not also acquired, released, or used without authorization.
b. An event for which a licensee has determined that the nonpublic information accessed
by an unauthorized person has not been used or released, and the nonpublic information has
been returned or destroyed.
5. “Delivered by electronic means” means delivery to an electronic mail address at which
a consumer has consented to receive notices or documents.
6. “Encrypted” means the transformation of data into a form that results in a low
probability of assigning meaning to the data without the use of a protective process or key.
7. “Gramm-Leach-BlileyAct”meanstheGramm-Leach-BlileyActof1999,15U.S.C.§6801
et seq., including amendments thereto and regulations promulgated thereunder.
8. “Health Insurance Portability and Accountability Act” or “HIPAA” means the Health
Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, including
amendments thereto and regulations promulgated thereunder.
9. “Home state” means the same as defined in section 522B.1.
§507F.3, INSURANCE DATA SECURITY 2
10. “Information security program” means the administrative, technical, and physical
safeguards that a licensee uses to access, collect, distribute, process, protect, store, use,
transmit, dispose of, or otherwise handle nonpublic information.
11. “Information system” means a discrete set of electronic information resources
organized for the collection, processing, maintenance, use, sharing, dissemination, or
disposition of electronic nonpublic information, and any specialized system such as an
industrial or process controls system, a telephone switching and private branch exchange
system, or an environmental control system.
12. “Insurer” means the same as defined in section 521A.1.
13. “Licensee” means a person licensed, authorized to operate, or registered, or a person
required to be licensed, authorized to operate, or registered pursuant to the insurance laws of
this state. “Licensee” does not include a purchasing group or a risk retention group chartered
and licensed in a state other than this state, or a person acting as an assuming insurer that is
domiciled in another state or jurisdiction.
14. “Multi-factor authentication” means authentication through verification of at least two
of the following types of authentication factors:
a. A knowledge factor, such as a password.
b. A possession factor, such as a token or text message on a mobile phone.
c. An inherence factor, such as a biometric characteristic.
15. “Nonpublic information” means electronic information that is not publicly available
information and that is any of the following:
a. Business-related information of a licensee the tampering of which, or unauthorized
disclosure, access, or use of which, will cause a material adverse impact to the business,
operations, or security of the licensee.
b. Information concerning a consumer which can be used to identify the consumer due
to a name, number, personal mark, or other identifier, used in combination with any one or
more of the following data elements:
(1) A social security number.
(2) A driver’s license number or a nondriver identification card number.
(3) A financial account number, a credit card number, or a debit card number.
(4) A security code, an access code, or a password that will permit access to a consumer’s
financial accounts.
(5) A biometric record.
c. Information or data, except age or gender, in any form or medium created by or derived
from a health care provider or a consumer, and that relates to any of the following:
(1) The past, present, or future physical, mental or behavioral health or condition of a
consumer, or a member of the consumer’s family.
(2) The provision of health care services to a consumer.
(3) Payment for the provision of health care services to a consumer.
16. “Person” means an individual or a nongovernmental entity, including but not limited
to a nongovernmental partnership, corporation, branch, agency, or association.
17. “Publicly available information” means information that a licensee has a reasonable
basis to believe is lawfully made available to the general public from federal, state, or local
government records, by widely distributed media, or by disclosure to the general public
as required by federal, state, or local law. For purposes of this definition, a licensee has a
reasonable basis to believe that information is lawfully made available to the general public
if the licensee has determined all of the following:
a. That the information is of a type that is available to the general public.
b. That if a consumer may direct that the information not be made available to the general
public, that the consumer has not directed that the information not be made available to the
general public.
18. “Risk assessment” means the assessment that a licensee is required to conduct
pursuant to section 507F.4, subsection 3.
19. “Third-party service provider” means a person that is not a licensee that contracts
3 INSURANCE DATA SECURITY, §507F.4
with a licensee to maintain, process, store, or is otherwise permitted access to nonpublic
information through the person’s provision of services to the licensee.