Title 806 | Chapter 003 | Regulation 230


806 KAR 3:230.Standards for safeguarding customer information.

Section 1.

Definitions.

(1)

"Consumer" means an individual who seeks to obtain, obtains, or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information; or that individual's legal representative.

(2)

"Customer" means a consumer who has a customer relationship with a licensee.

(3)

"Customer information" means nonpublic personal information about a customer, whether in paper, electronic or other form, that is maintained by or on behalf of the licensee.

(4)

"Customer relationship" means a continuing relationship between a consumer and a licensee under which the licensee provides one (1) or more insurance products or services to the consumer that are to be used primarily for personal, family, or household purposes.

(5)

"Licensee" means all insurers holding a certificate of authority, licensed producers, companies, or business entities licensed or required to be licensed, or authorized or required to be authorized, or registered, excluding service contract makers, or required to be registered pursuant to the Kentucky Insurance Code.

Section 2.

Information Security Program. Each licensee shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.

Section 3.

Objectives of Information Security Program. A licensee's information security program shall be designed to:

(1)

Ensure the security and confidentiality of customer information;

(2)

Protect against any anticipated threats or hazards to the security or integrity of the information; and

(3)

Protect against unauthorized access to or use of the information that may result in substantial harm or inconvenience to any customer.

Section 4.

Determined Violation. A violation of this administrative regulation may constitute an unfair trade practice in the business of insurance and shall subject the licensee to a civil penalty authorized by KRS 304.99-020.

HISTORY: (30 Ky.R. 774; 1308; 1517; eff. 1-5-2004; TAm eff. 8-9-2007; Crt eff. 2-28-2020; 46 Ky.R. 1364; 2079; 2589; eff. 4-1-2020.)

7-Year Expiration: 2/28/2027

Last Updated: 12/15/2021


Page Generated: 9/19/2024, 12:15:11 PM