18 Del. Admin. Code § 905
1.2 This regulation establishes standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information, pursuant to Sections 501, 505(b), and 507 of the Gramm-Leach-Bliley Act, codified at 15 U.S.C. 6801, 6805(b) and 6807.
1.2.2 Section 501(b) requires the state insurance regulatory authorities to establish appropriate standards relating to administrative, technical and physical safeguards:
2.1 For purposes of this regulation, the following definitions apply:
"Customer"means a customer of the licensee as the term customer is defined in Delaware Insurance Department Regulation 904 section 4.0 (Formerly Regulation 84).
“Customer information"means nonpublic personal information as defined in Delaware Insurance Department Regulation 904 sections 4.16 and 4.17 (Formerly Regulation 84) about a customer, whether in paper, electronic or other form, that is maintained by or on behalf of the licensee.
“Customer information systems"means the electronic or physical methods used to access, collect, store, use, transmit, protect or dispose of customer information.
"Licensee"means a licensee as that term is defined in Delaware Insurance Department Regulation 904 section 4.17 (Formerly Regulation 84), except that "licensee" shall not include: a purchasing group pursuant to18 Del.C. Ch. 80, or an unauthorized insurer in regard to the excess line business conducted pursuant to18 Del.C. Ch. 19.
Drafting Note: Although service contract providers and extended warranty providers are "licensees" under the insurance laws of many states, they are not so defined under Delaware law.
"Service provider"means a person that maintains, processes or otherwise is permitted access to customer information through its provision of services directly to the licensee.
Each licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.
A licensee's information security program shall be designed to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of the information; and protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.
The actions and procedures described in Sections 6 through 9 of this regulation are examples of methods of implementation of the requirements of sections 3.0 and 4.0 of this regulation. These examples are non-exclusive illustrations of actions and procedures that licensees may follow to implement sections 3.0 and 4.0 of this regulation.
The licensee:
The licensee:
8.1 The licensee:
The licensee monitors, evaluates and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems.
Repeated failure to comply with this Regulation will be grounds for investigation and enforcement as an unfair practice in the insurance business pursuant to18 Del.C. Ch. 23.
If any section or portion of a section of this regulation or its applicability to any person or circumstance is held invalid by a court, the remainder of the regulation or the applicability of the provision to other persons or circumstances shall not be affected.
This regulation shall become effective on February 11, 2003.
ADOPTED AND SIGNED BY THE COMMISSIONER, December 31, 2002
6 DE Reg. 966 (2/1/03)
6 DE Reg. 966 (2/1/03)
6 DE Reg. 966 (2/1/03)
6 DE Reg. 966 (2/1/03)
6 DE Reg. 966 (2/1/03)
6 DE Reg. 966 (2/1/03)
6 DE Reg. 966 (2/1/03)
6 DE Reg. 966 (2/1/03)
6 DE Reg. 966 (2/1/03)
6 DE Reg. 966 (2/1/03)
6 DE Reg. 966 (2/1/03)