- Except to the extent prohibited by law other than this article 13, the administrator or administrator’s agent shall notify a holder as soon as practicable of:
- Suspected loss, misuse, or unauthorized access, disclosure, modification, or destruction of confidential information obtained from the holder in the possession of the administrator or an administrator’s agent; and
- Any interference with operations in any system hosting or housing confidential information that:
- Compromises the security, confidentiality, or integrity of the information; or
- Creates a substantial risk of identity fraud or theft.
- Except as necessary to inform an insurer, attorney, investigator, or others as required by law, the administrator and an administrator’s agent shall not disclose, without the express consent in a record of the holder, an event described in subsection (1) of this section to a person whose confidential information was supplied by the holder.
- If an event described in subsection (1) of this section occurs, the administrator and the administrator’s agent shall:
- Take action necessary for the holder to understand and minimize the effects of the event and determine its scope; and
- Cooperate with the holder with respect to:
- Any notification required by law concerning a data or other security breach; and
- A regulatory inquiry, litigation, or similar action.
Source: L. 2019: Entire article R&RE, (SB 19-088), ch. 110, p. 460, § 1, effective July 1, 2020.