Section 4003.10  Purpose

 

The purpose of this Part is to establish standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information pursuant to Sections 501, 505(b) and 507 of the Gramm-Leach-Bliley Act (15 USC 6801, 6805(b) and 6807).

 

Section 4003.20  Applicability

 

This Part applies to all licensees, companies, and other persons licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered, or domiciled pursuant to the Illinois Insurance Code or any other Act of Chapter 215 of the Illinois Compiled Statutes.  This Part also applies to unauthorized insurers or companies who accept business placed through a licensed surplus line producer in this State, but only in regard to the surplus line transactions placed pursuant to Section 445 of the Illinois Insurance Code [215 ILCS 5/445].  However, this Part does not apply to "service contract providers" as defined by the Service Contract Act [215 ILCS 152].

 

Section 4003.30  Definitions

 

Code means the Illinois Insurance Code [215 ILCS 5].

 

Customer means a customer of the licensee as the term customer is defined in 50 Ill. Adm. Code 4002.30.

 

Customer Information means nonpublic personal financial information as defined in Section 50 Ill. Adm. Code 4002.30 about a customer, whether in paper, electronic or other form, that is maintained by or on behalf of the licensee.

 

Customer Information Systems means the electronic or physical methods used to access, collect, store, use, transmit, protect or dispose of customer information.

 

Department means the Illinois Department of Insurance.

 

Director means the Director of the Illinois Department of Insurance.

 

Licensee means a licensee as that term is defined in Section 50 Ill. Adm. Code 4002.30, except that "licensee" shall not include: purchasing group; or an unauthorized insurer in regard to the excess line business conducted pursuant to Section 445 of the Code.

 

Service Provider means a person that maintains, processes or otherwise is permitted access to customer information through its provision of services directly to the licensee.

 

 

Section 4003.40  Information Security Program

 

Each licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.

 

Section 4003.50  Objectives of Information Security Program

 

A licensee’s information security program shall be designed to:

 

a)         Ensure the security and confidentiality of customer information;

 

b)         Protect against any anticipated threats or hazards to the security or integrity of the information; and

 

c)         Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.

 

Section 4003.60  Examples of Methods of Development and Implementation

 

The actions and procedures described in Sections 4003.70 through 4003.100 of this Part are examples of methods of implementation of the requirements of Sections 4003.40 and 4003.50 of this Part. These examples are non-exclusive illustrations of actions and procedures that licensees may follow to implement Sections 4003.40 and 4003.50.

 

Section 4003.70  Assess Risk

 

The licensee:

 

a)         Identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems;

 

b)         Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and

 

c)         Assesses the sufficiency of policies, procedures, customer information systems and other safeguards in place to control risks.

 

Section 4003.80  Manage and Control Risk

 

The licensee:

 

a)         Designs its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee's activities;

 

b)         Trains staff, as appropriate, to implement the licensee'’s information security program; and

 

c)         Regularly tests or otherwise regularly monitors the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee’s risk assessment.

 

Section 4003.90  Oversee Service Provider Arrangements

 

The licensee:

 

a)         Exercises appropriate due diligence in selecting its service providers; and

 

b)         Requires its service providers to implement appropriate measures designed to meet the objectives of this Part, and, where indicated by the licensee's risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.

 

Section 4003.100  Adjust the Program

 

The licensee monitors, evaluates and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems.

 

Section 4003.110  Penalties

 

Failure to meet the requirements of this Part shall subject the licensee to penalty provisions of Section 403A of the Illinois Insurance Code [215 ILCS 5/403A].