Section 27-2-27-16 - Information security program; requirements(a) A licensee shall develop, implement, and maintain a comprehensive, written information security program that:(1) is based on the risk assessment required under section 17 of this chapter; and(2) contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information systems.(b) An information security program must accomplish the following:(1) Protect the security and confidentiality of nonpublic information and information systems.(2) Protect against any threats or hazards to the security or integrity of nonpublic information and information systems.(3) Protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to a consumer.(4) Define and periodically reevaluate a schedule for retention of nonpublic information and a procedure for its destruction when no longer needed.Added by P.L. 130-2020,SEC. 10, eff. 7/1/2020.