§2269. Application; exceptions
1.
Small business exception.
A licensee with fewer than 10 employees, including any independent contractors working for the licensee in the business of insurance, is exempt from section 2264.
[PL 2021, c. 24, §1 (NEW).]
2.
Licensees subject to federal law.
The following provisions apply to licensees subject to federal law.
A.
A licensee that is subject to and in compliance with the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and related privacy, security and breach notification regulations pursuant to 45 Code of Federal Regulations, Parts 160 and 164 and the federal Health Information Technology for Economic and Clinical Health Act, Public Law 111-5 is considered to meet the requirements of this chapter, other than the requirements of section 2266, subsection 1 for notification to the superintendent, if:
(1)
The licensee maintains a program for information security and breach notification that treats all nonpublic information relating to consumers in this State in the same manner as protected health information;
(2)
The licensee annually submits to the superintendent a written statement certifying that the licensee is in compliance with the requirements of this paragraph; and
(3)
The superintendent has not issued a determination finding that the applicable federal regulations are materially less stringent than the requirements of this chapter.
[PL 2021, c. 24, §1 (NEW).]
B.
A licensee that is an insurance producer business entity, as licensed pursuant to section 1420‑E, owned by a depository institution and that maintains an information security program in compliance with the standards for safeguarding customer information as set forth pursuant to the federal Gramm-Leach-Bliley Act, 15 United States Code, Sections 6801 and 6805 is considered to meet the requirements of section 2264 if:
[PL 2021, c. 24, §1 (NEW).]
(1)
Upon request, the licensee produces documentation satisfactory to the superintendent that independently validates the controlling depository institution's adoption of an information security program that satisfies the standards for safeguarding customer information;
(2)
The licensee annually submits to the superintendent a written statement certifying that the licensee is in compliance with the requirements of this paragraph; and
(3)
The superintendent has not issued a determination finding that the standards for safeguarding customer information are materially less stringent than the requirements of section 2264.
[PL 2021, c. 24, §1 (NEW).]
3.
Employee, agent, representative or designee also a licensee.
An employee, agent, representative or designee of a licensee that is also a licensee is exempt from section 2264 and need not develop its own information security program to the extent that the employee, agent, representative or designee is covered by the information security program of the other licensee.
[PL 2021, c. 24, §1 (NEW).]
If a licensee ceases to qualify for an exception under this section, the licensee has 180 days to comply with this chapter.
[PL 2021, c. 24, §1 (NEW).]
SECTION HISTORY
PL 2021, c. 24, §1 (NEW).