- (a) If a holder is required to include confidential information in a report to the attorney general, the information must be provided by a secure means.
(b) If confidential information in a record is provided to and maintained by the attorney general or the attorney general's agent as required by this chapter, the attorney general or the attorney general's agent shall:
- (1) implement administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of the information required by IC 4-1-11 and federal privacy and data security law whether or not the attorney general or the attorney general's agent is subject to the law;
- (2) protect against reasonably anticipated threats or hazards to the security, confidentiality, or integrity of the information; and
- (3) protect against unauthorized access to or use of the information which could result in substantial harm or inconvenience to a holder or the holder's customers, including insureds, annuitants, and policy or contract owners and their beneficiaries.
(c) The attorney general:
- (1) after notice and comment, shall adopt and implement a security plan that identifies and assesses reasonably foreseeable internal and external risks to confidential information in the attorney general's possession and seeks to mitigate the risks; and
- (2) shall ensure that the attorney general's agent adopts and implements a similar plan with respect to confidential information in the agent's possession.
- (d) The attorney general and the attorney general's agent shall educate and train their employees regarding the plan adopted under subsection (c).
- (e) The attorney general and the attorney general's agent shall in a secure manner return or destroy all confidential information no longer reasonably needed under this chapter.
As added by P.L.141-2021, SEC.20.