Ask Reggi Your Question Now
Can I skip having an information security program in place in Alabama? What are the requirements?
Based on the information provided in the context documents, it is not possible to skip having an information security program in place in Alabama. Alabama law requires each licensee to develop, implement, and maintain a comprehensive written information security program based on the risk assessment of the licensee that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the information system of the licensee [2.1]. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities [1.1]. The information security program of a licensee shall be designed to protect the security and confidentiality of nonpublic information and the security of the information system, protect against any threats or hazards to the security or integrity of nonpublic information and the information system, protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to any consumer, and define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed [2.1].
A licensee’s information security program shall be designed to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer [1.2]. The licensee monitors, evaluates and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems [1.3].
Each licensee shall notify the commissioner as promptly as possible, but in no event later than three business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred when either of the following criteria has been met: (1) This state is the state of domicile of the licensee, in the case of an insurer, or this state is the home state of the licensee, in the case of a producer, as those terms are defined in Section 27-7-1, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this state or reasonable likelihood of materially harming any material part of the normal operation of the licensee. (2) The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing in this state and the cybersecurity event is either of the following: a. A cybersecurity event impacting the licensee that the licensee is required to notify any government body, self-regulatory agency, or any other supervisory body about pursuant to any state or federal law. b. A cybersecurity event that has a reasonable likelihood of materially harming either of the following: 1. Any consumer residing in this state. 2. Any material part of the normal operation of the licensee [2.2].
Therefore, it is mandatory for licensees to have an information security program in place in Alabama, and failure to comply with these requirements may result in penalties and legal consequences.
Source(s):
- [1.1] Information Security Program
- [1.2] Objectives Of Information Security Program
- [2.1] Information security program.
- [1.3] Adjust The Program
- [2.2] Notification of cybersecurity event.
Jurisdiction
Alabama