Section 675.NEW - [Newly enacted section not yet numbered] [Written data security policy]A licensee who authorizes any employee to engage in the business of lending in this State at a remote location shall develop and adhere to a written data security policy. The data security policy must set forth procedures and requirements to ensure that:
1. Data of the licensee that is stored at or accessible from a remote location is protected against unauthorized or accidental disclosure, access, use, modification, duplication or destruction;2. An employee working at a remote location is able to access the computerized data system of the licensee and other computer systems of the licensee only through the use of a virtual private network or other system that:(a) Requires the use of a username and password, frequent password changes, multifactor authentication, a system that automatically prevents a person from accessing an account upon the failure of the person to enter the appropriate credentials after a set number of attempts or any combination thereof; and(b) Uses data encryption;3. Any updates or repairs necessary to keep data and equipment secure are installed or implemented immediately;4. All data of the licensee is stored in a safe and secure manner and the computerized data system of the licensee is capable of being modified to accommodate the storage of data necessary for an employee working at a remote location to perform his or her work;5. Each remote location at which an employee works contains computers or other electronic devices which make use of reasonable security measures, such as antivirus software and firewalls;6. The computerized data system of the licensee and other computer systems of the licensee may only be accessed through computers or other electronic devices which: (a) Are issued by the licensee; and(b) May only be used by an employee while performing activities approved by the licensee;7. An internal or external risk assessment is performed annually on the protection of the data of the licensee from reasonably foreseeable internal or external risks;8. After the performance of a risk assessment pursuant to subsection 7, the data security policy is updated to correct any deficiencies identified in the risk assessment;9. The licensee has procedures in place which establish the actions that must be taken upon the: (a) Discovery of a breach of the security of the computerized data system, including, without limitation, any actions that must be taken concerning the disclosure of the breach as required by section 9 of this act or other applicable law; and(b) Occurrence of an emergency, including, without limitation, a fire or natural disaster, that has the potential to impact the storage of or access to data of the licensee;10. The data of the licensee is disposed of in a timely and secure manner as required by applicable law and contractual requirements; and11. The licensee is able, without the licensee or an agent of the licensee being physically present at a remote location, to disconnect any computer or device provided to an employee at a remote location from the computerized data system of the licensee or other computer systems of the licensee and disable and erase any data from such a computer or device upon termination of the employee's employment with the licensee.Added by 2023, Ch. 527,§6, eff. 10/1/2023.