Section 1406 – Security of information.

• (1) If a holder is required to include confidential information in a report to the administrator, the information shall be provided by a secure means.

• (2) If confidential information in a record is provided to and maintained by the administrator or the administrator’s agent as required by this chapter, the administrator or the administrator’s agent shall:
  • (a) implement administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of the information required by Section 13-44-202 and federal privacy and data security law regardless of whether the administrator or the administrator’s agent is subject to the law;
  • (b) protect against reasonably anticipated threats or hazards to the security, confidentiality, or integrity of the information; and
  • (c) protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to a holder or the holder’s customers, including insureds, annuitants, and policy or contract owners and the insureds’, annuitants’, and policy or contract owners’ beneficiaries.

• (3) The administrator:
  • (a) after notice and comment, shall adopt and implement a security plan that identifies and assesses reasonably foreseeable internal and external risks to confidential information in the administrator’s possession and seeks to mitigate the risks; and
  • (b) shall ensure that an administrator’s agent adopts and implements a similar plan with respect to confidential information in the administrator’s agent’s possession.

• (4) The administrator and the administrator’s agent shall educate and train the administrator’s and the administrator’s agent’s employees regarding the plan adopted under Subsection (3).

• (5) The administrator and the administrator’s agent shall in a secure manner return or destroy all confidential information no longer reasonably needed under this chapter.

Enacted by Chapter 371, 2017 General Session