- (a) If a holder is required to include confidential information in a report to the Administrator, the information must be provided by a secure means.
(b) If confidential information in a record is provided to and maintained by the Administrator or Administrator's agent as required by this chapter, the Administrator or agent shall:
- (1) Implement administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of the information required by §§ § 28-3851 to 28-3864 and federal privacy and data security law whether or not the Administrator or the Administrator's agent is subject to the law;
- (2) Protect against reasonably anticipated threats or hazards to the security, confidentiality, or integrity of the information; and
- (3) Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to a holder or the holder's customers, including insureds, annuitants, and policy or contract owners and their beneficiaries.
(c) The Administrator:
- (1) After notice and comment, shall adopt and implement a security plan that identifies and assesses reasonably foreseeable internal and external risks to confidential information in the Administrator's possession and seeks to mitigate the risks; and
- (2) Shall ensure that an Administrator's agent adopts and implements a similar plan with respect to confidential information in the agent's possession.
- (d) The Administrator and the Administrator's agent shall educate and train their employees regarding the plan adopted under subsection (c) of this section.
- (e) The Administrator and the Administrator's agent shall in a secure manner return or destroy all confidential information no longer reasonably needed under this chapter.
History
Nov. 13, 2021, D.C. Law 24-45, § 7087