As used in this chapter:
1."Authorized individual" means an individual known to and screened by the licensee
and determined to be necessary and appropriate to have access to the nonpublic
information held by the licensee and the licensee's information systems.
2."Commissioner" means the insurance commissioner.
3."Consumer" means an individual, including an applicant, policyholder, insured,
beneficiary, claimant, and certificate holder, who is a resident of this state and whose
nonpublic information is in a licensee's possession, custody, or control.
4."Cybersecurity event" means an event resulting in unauthorized access to, disruption,
or misuse of, an information system or nonpublic information stored on the information
system. The term does not include the unauthorized acquisition of
Free access — add to your briefcase to read the full text and ask questions with AI
As used in this chapter:
1. "Authorized individual" means an individual known to and screened by the licensee
and determined to be necessary and appropriate to have access to the nonpublic
information held by the licensee and the licensee's information systems.
2. "Commissioner" means the insurance commissioner.
3. "Consumer" means an individual, including an applicant, policyholder, insured,
beneficiary, claimant, and certificate holder, who is a resident of this state and whose
nonpublic information is in a licensee's possession, custody, or control.
4. "Cybersecurity event" means an event resulting in unauthorized access to, disruption,
or misuse of, an information system or nonpublic information stored on the information
system. The term does not include the unauthorized acquisition of encrypted nonpublic
information if the encryption, process, or key is not also acquired, released, or used
without authorization.
5. "Department" means the insurance department.
6. "Encrypted" means the transformation of data into a form that results in a low
probability of assigning meaning without the use of a protective process or key.
7. "Information security program" means the administrative, technical, and physical
safeguards a licensee uses to access, collect, distribute, process, protect, store, use,
transmit, dispose of, or otherwise handle nonpublic information.
8. "Information system" means a discrete set of electronic information resources
organized for the collection, processing, maintenance, use, sharing, dissemination, or
disposition of electronic nonpublic information, as well as any specialized system,
including industrial or process controls systems, telephone switching, private branch
exchange systems, and environmental control systems.
9. "Licensee" means any person licensed, authorized to operate, registered, or required
to be licensed, authorized, or registered pursuant to the insurance laws of this state.
The term does not include a purchasing group or a risk retention group chartered and
licensed in another state or a licensee that is acting as an assuming insurer that is
domiciled in another state or jurisdiction.
10. "Multi-factor authentication" means authentication through verification of at least two of
the following types of authentication factors:
a. Knowledge factors, including a password;
b. Possession factors, including a token or text message on a mobile phone; or
c. Inherence factors, including a biometric characteristic.
11. "Nonpublic information" means electronic information that is not publicly available
information and is:
a. Any information concerning a consumer which can be used to identify the
consumer because of name, number, personal mark, or other identifier in
combination with any one or more of the following data elements:
(1) Social security number;
(2) Driver's license number or nondriver identification card number;
(3) Financial account number or credit or debit card number;
(4) Any security code, access code, or password that would permit access to a
consumer's financial account; or
(5) Biometric records.
b. Any information or data, except age or gender, in any form or medium created by
or derived from a health care provider or a consumer which can be used to
identify a particular consumer and relates to:
(1) The past, present, or future physical, mental, or behavioral health or
condition of any consumer or a member of the consumer's family;
(2) The provision of health care to any consumer; or
(3) Payment for the provision of health care to any consumer.
12. "Person" means any individual or any nongovernmental entity, including any
nongovernmental partnership, corporation, branch, agency, or association.
13. "Publicly available information" means any information a licensee has a reasonable
basis to believe is lawfully made available to the general public from federal, state, or
local government records; widely distributed media; or disclosures to the general
public which are required to be made by federal, state, or local law. A licensee has a
reasonable basis to believe that information is lawfully made available to the general
public if the licensee has taken steps to determine:
a. The information is of the type available to the general public; and
b. Whether a consumer can direct the information not be made available to the
general public and, if so, that the consumer has not done so.
14. "Risk assessment" means the risk assessment that each licensee is required to
conduct under section 26.1-02.2-03.
15. "Third-party service provider" means a person, not otherwise defined as a licensee,
that contracts with a licensee to maintain, process, store, or otherwise is permitted
access to nonpublic information through its provision of services to the licensee.