PURPOSE: This rule establishes standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information, pursuant to sections 501, 505(b), and 507 of the Gramm-Leach-Bliley Act, codified at 15 U.S.C. 6801, 6805(b), and 6807, and as authorized by section 362.422, RSMo Supp. 2001. This rule requires that the safeguards established pursuant to this rule shall apply to nonpublic personal information and nonpublic personal financial information.(1) Definitions. For purposes of this rule, the following definitions apply: (A) "Customer" means a customer of the licensee as the term customer is defined in subsection 20 CSR 100-6.100(1)(I);(B) "Customer information" means non-public personal information as defined in 20 CSR 100-6.100 about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of the licensee;(C) "Customer information systems" means the electronic or physical methods used to access, collect, store, use, transmit, protect, or dispose of customer information;(D) "Licensee" means a licensee as that term is defined in 20 CSR 100-6.100(1)(N), except that "licensee" shall not include: a purchasing group; or an unauthorized insurer in regard to the surplus line business conducted pursuant to 20 CSR 200-6.100 to 20 CSR 200-6.500 and Chapter 384, RSMo;(E) "Service provider" means a person that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the licensee.(2) Information Security Program. Each licensee shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.(3) Objectives of Information Security Program. A licensee's information security program shall be designed to: (A) Ensure the security and confidentiality of customer information;(B) Protect against any anticipated threats or hazards to the security or integrity of the information; and(C) Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.(4) Examples of Methods of Development and Implementation. The actions and procedures described in sections (5) through (8) of this regulation are examples of methods of implementation of the requirements of sections (2) and (3) of this regulation. These examples are non-exclusive illustrations of actions and procedures that licensees may follow to implement sections (2) and (3) of this regulation.(5) Assess Risk. The licensee: (A) Identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems; (B) Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and(C) Assesses the sufficiency of policies, procedures, customer information systems, and other safeguards in place to control risks.(6) Manage and Control Risk. The licensee:(A) Designs its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee's activities;(B) Trains staff, as appropriate, to implement the licensee's information security program; and(C) Regularly tests or otherwise regularly monitors the key control, systems, and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment.(7) Oversee Service Provider Arrangements. The licensee:(A) Exercises appropriate due diligence in selecting its service providers; and(B) Requires its service providers to implement appropriate measures designed to meet the objectives of this regulation, and, where indicated by the licensee's risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.(8) Adjust the Program. The licensee evaluates and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangement, and changes to customer information systems.(9) Compliance Date. Each licensee shall establish and implement an information security program, including appropriate policies and systems pursuant to this regulation by June 1, 2003.
AUTHORITY: sections 362.422, RSMo Supp. 2001 and 374.045, 375.948 and 536.016, RSMo 2000.* Original rule filed Oct. 1, 2002, effective April 30, 2003.
*Original authority: 362.422, RSMo 2001; 374.045, RSMo 1967, amended 1993, 1995; 375.948, RSMo 1959, amended 1978, 1991; and 536.016, RSMo 1997, amended 1999.