Can I skip having an information security program in place in Delaware? What are the requirements?

No, you cannot skip having an information security program in place in Delaware. Delaware law requires that licensees develop, implement, and maintain a comprehensive, written information security program that is based on the licensee’s risk assessment and contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system ^[3.1]. The information security program must be commensurate with the size and complexity of a licensee; the nature and scope of a licensee’s activities, including the licensee’s use of a third-party service provider; and the sensitivity of the nonpublic information that the licensee uses or has in the licensee’s possession, custody, or control ^[3.1]. The program must also include a risk assessment, oversight by the board of directors, oversight of third-party service provider arrangements, an incident response plan, and annual certification to the Commissioner of domiciliary state ^[3.1].

Source(s):

• [3.1] Information security program [For application of this section, see 82 Del. Laws, c. 176, § 2].

Jurisdiction

Delaware

• Privacy