(a) A licensee shall develop, implement, and maintain a comprehensive, written information security program that:
- (1) is based on the risk assessment required under section 17 of this chapter; and
- (2) contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information systems.
(b) An information security program must accomplish the following:
- (1) Protect the security and confidentiality of nonpublic information and information systems.
- (2) Protect against any threats or hazards to the security or integrity of nonpublic information and information systems.
- (3) Protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to a consumer.
- (4) Define and periodically reevaluate a schedule for retention of nonpublic information and a procedure for its destruction when no longer needed.
As added by P.L.130-2020, SEC.10.