806 Ky. Admin. Regs. 3:230

Current through Register Vol. 49, No. 1, July 1, 2022
Section 806 KAR 3:230 - Standards for safeguarding customer information

RELATES TO: KRS 304.12-010, 304.12-130, 304.99-020, 15 U.S.C. 6801, 6805(b), 6807

NECESSITY, FUNCTION, AND CONFORMITY: KRS 304.2-110(1) authorizes the commissioner to promulgate reasonable administrative regulations necessary for or as an aid to the effectuation of any provision of the Kentucky Insurance Code. The Gramm-Leach-Bliley Act codified in 15 U.S.C. 6801(b) requires the state insurance regulatory authorities to establish appropriate standards relating to administrative, technical, and physical safeguards:

(1) to ensure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of these records; and
(3) to protect against unauthorized access to or use of records or information that could result in substantial harm or inconvenience to a customer. This administrative regulation establishes the appropriate standards for licensees of the Department of Insurance to safeguard customer information.
Section 1. Definitions.
(1) "Consumer" means an individual who seeks to obtain, obtains, or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information; or that individual's legal representative.
(2) "Customer" means a consumer who has a customer relationship with a licensee.
(3) "Customer information" means nonpublic personal information about a customer, whether in paper, electronic or other form, that is maintained by or on behalf of the licensee.
(4) "Customer relationship" means a continuing relationship between a consumer and a licensee under which the licensee provides one (1) or more insurance products or services to the consumer that are to be used primarily for personal, family, or household purposes.
(5) "Licensee" means all insurers holding a certificate of authority, licensed producers, companies, or business entities licensed or required to be licensed, or authorized or required to be authorized, or registered, excluding service contract makers, or required to be registered pursuant to the Kentucky Insurance Code.
Section 2. Information Security Program. Each licensee shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.
Section 3. Objectives of Information Security Program. A licensee's information security program shall be designed to:
(1) Ensure the security and confidentiality of customer information;
(2) Protect against any anticipated threats or hazards to the security or integrity of the information; and
(3) Protect against unauthorized access to or use of the information that may result in substantial harm or inconvenience to any customer.
Section 4. Determined Violation. A violation of this administrative regulation may constitute an unfair trade practice in the business of insurance and shall subject the licensee to a civil penalty authorized by KRS 304.99-020.

806 KAR 3:230

30 Ky.R. 774; 1308; 1517; eff. 1-5-2004; TAm eff. 8-9-2007; Crt eff. 2-28-2020; 46 Ky.R. 1364; 2079; 2589; eff. 4-1-2020.

STATUTORY AUTHORITY: KRS 304.2-110(1), 15 U.S.C. 6801(b)