As used in this chapter, unless the context otherwise indicates, the following terms have the following meanings. [2021, c. 24, §1(NEW).]
1.Authorized individual. "Authorized individual" means an individual whose access to the nonpublic information held by a licensee and its information systems is authorized and determined by the licensee to be necessary and appropriate. [2021, c. 24, §1(NEW).]
2.Consumer. "Consumer" means an individual, including but not limited to an applicant for insurance, policyholder, insured, beneficiary, claimant or certificate holder, who is a resident of this State and whose nonpublic information is in a licensee's possession, custody or control. [2021, c. 24, §1(NEW).]
3.Cybersecurity event. "Cybersecurity event" means an event resulting in unauthorized access to, disruption of or misuse of an information system or information stored on an information system. "Cybersecurity event" does not include the unauthorized acquisition of encrypted nonpublic information if the encryption process or key is not also acquired, released or used without authorization.
"Cybersecurity event" does not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
[2021, c. 24, §1(NEW).]
4.Encrypted. "Encrypted," with respect to data, means that the data has been transformed into a form that results in a low probability of assigning meaning without the use of a protective process or key. [2021, c. 24, §1(NEW).]
5.Information security program. "Information security program" means the administrative, technical and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of or otherwise handle nonpublic information. [2021, c. 24, §1(NEW).]
6.Information system. "Information system" means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as an industrial or process control system, a telephone switching and private branch exchange system or an environmental control system. [2021, c. 24, §1(NEW).]
7.Insurance carrier. "Insurance carrier" has the same meaning as in section 2204, subsection 15. [2021, c. 24, §1(NEW).]
8.Licensee. "Licensee" means a person licensed, authorized to operate or registered or required to be licensed, authorized or registered pursuant to the insurance laws of this State. "Licensee" does not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a licensee that is acting as an assuming insurer and is domiciled in another state or jurisdiction. [2021, c. 24, §1(NEW).]
9.Multifactor authentication. "Multifactor authentication" means authentication through verification of at least 2 of the following types of authentication factors: A. Knowledge factors, such as a password; [2021, c. 24, §1(NEW).]B. Possession factors, such as a token or text message on a mobile telephone; and [2021, c. 24, §1(NEW).]C. Inherence factors, such as a biometric characteristic. [2021, c. 24, §1(NEW).] [2021, c. 24, §1(NEW).]
10.Nonpublic information. "Nonpublic information" means information that is not publicly available information and is:A. Business-related information of a licensee the tampering with or unauthorized disclosure of, access to or use of which would materially and adversely affect the business, operations or security of the licensee; [2021, c. 24, §1(NEW).]B. Information that, because of name, number, personal mark or other identifier, can be used in combination with any one or more of the following data elements to identify a consumer: (1) Social security number;(2) Driver's license number or nondriver identification card number;(3) Financial account number or credit or debit card number;(4) Any security code, access code or password that would permit access to a consumer's financial account; or(5) Biometric records; or [2021, c. 24, §1(NEW).]C. Information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer and that relates to: (1) The past, present or future physical, mental or behavioral health or condition of a consumer or a member of the consumer's family;(2) The provision of health care to a consumer; or(3) Payment for the provision of health care to a consumer. [2021, c. 24, §1(NEW).] "Nonpublic information" does not include a consumer's personally identifiable information that has been anonymized using a method no less secure than the so-called safe harbor method under the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
[2021, c. 24, §1(NEW).]
11.Publicly available information. "Publicly available information" means information that a licensee has a reasonable basis to believe is lawfully made available to the general public from:A. Federal, state or local government records; [2021, c. 24, §1(NEW).]B. Widely distributed media; or [2021, c. 24, §1(NEW).]C. Disclosures to the general public that are required to be made by federal, state or local law. [2021, c. 24, §1(NEW).] For the purposes of this definition, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine that the information is of a type that is available to the general public and if a consumer can direct that the information not be made available to the general public and, if so, that the consumer has not done so.
[2021, c. 24, §1(NEW).]
12.Risk assessment. "Risk assessment" means the risk assessment that a licensee is required to conduct under section 2264, subsection 3. [2021, c. 24, §1(NEW).]
13.Third-party service provider. "Third-party service provider" means a person that is not a licensee and that contracts with a licensee to maintain, process or store or otherwise is permitted access to nonpublic information through its provision of services to the licensee. [2021, c. 24, §1(NEW).]
Added by 2021, c. 24,§ 1, eff. 1/1/2022.