As used in this part:
(1)"Authorized individual" means an individual known to and screened by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and the licensee's information systems;
(2)"Commissioner" means the commissioner of commerce and insurance, or the commissioner's designee;
(3)"Consumer" means an individual, including an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control;
(4)"Cybersecurity event":
(A)Means an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system; and
Free access — add to your briefcase to read the full text and ask questions with AI
As used in this part: (1) "Authorized individual" means an individual known to and screened by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and the licensee's information systems; (2) "Commissioner" means the commissioner of commerce and insurance, or the commissioner's designee; (3) "Consumer" means an individual, including an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control; (4) "Cybersecurity event": (A) Means an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system; and (B) Does not include: (i) The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization; or (ii) An event in which the licensee determines that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed; (5) "Department" means the department of commerce and insurance; (6) "Encrypted" means the transformation of data into a form that results in a low probability that its meaning is discernible without the use of a protective process or key; (7) "Immediate family" means a spouse; child or grandchild by blood, adoption, or marriage; sibling; parent; or grandparent; (8) "Information security program" means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information; (9) "Information system" means: (A) A discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information; or (B) A specialized system, including an industrial or process control system, a telephone switching and private branch exchange system, and an environmental control system; (10) "Licensee": (A) Means a person: (i) Licensed, authorized to operate, or registered pursuant to this title; or (ii) Required to be licensed, authorized to operate, or registered pursuant to this title; and (B) Does not include a purchasing group or risk retention group chartered and licensed in another state or a person acting as an assuming insurer and domiciled in another state or jurisdiction; (11) "Multi-factor authentication" means authentication through verification of at least two (2) of the following types of authentication factors: (A) Knowledge factors, such as by a password; (B) Possession factors, such as by a token or text message on a mobile phone; or (C) Inherence factors, such as by a biometric characteristic; (12) "Nonpublic information" means information that is not publicly available and that is: (A) Business-related information of a licensee, in which the tampering with, unauthorized disclosure of, access to, or use of, would cause a material adverse impact to the business, operations, or security of the licensee; (B) Information concerning a consumer that, because of a name, number, personal mark, or other identifier, can be used to identify that consumer, in combination with the following: (i) A social security number; (ii) A driver license number or non-driver identification card number; (iii) A financial account number or credit or debit card number; (iv) A security code, access code, or password that would permit access to the consumer's financial accounts; or (v) Biometric records; or (C) Information or data, except a person's age or sex, created by or derived from a healthcare provider or a consumer that relates to: (i) The past, present, or future physical, mental, or behavioral health or health condition of a consumer or a member of a consumer's immediate family; (ii) The provision of health care to a consumer; or (iii) Payment for the provision of health care to a consumer; (13) "Person" means an individual or non-governmental entity, including a sole proprietorship, corporation, limited liability company, partnership, trust, religious organization, association, nonprofit organization described in § 501(c) of the Internal Revenue Code that is exempt from federal income taxation under § 501(a) of the Internal Revenue Code ( 26 U.S.C. § 501(a) ), or another legal entity, whether formed as a for-profit or not-for-profit entity; (14) "Publicly available information" means information that a licensee has a reasonable basis to believe is lawfully made available to the public. For purposes of this subdivision (14), a licensee has a reasonable basis to believe that information is lawfully made available to the public if the licensee has taken steps reasonably necessary to determine: (A) That the information is of a type that is available to the public through government records, widely distributed media, or public disclosures required by law; or (B) That a consumer can direct that the information not be made available to the public and, if so, that the consumer has not made that direction; (15) "Risk assessment" means the risk assessment that each licensee must conduct under § 56-2-1004(3) ; and (16) "Third-party service provider" means a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, or store, or is otherwise permitted access to maintain, process, or store, nonpublic information through its provision of services to the licensee.