Can I skip having an information security program in place in Pennsylvania? What are the requirements?

In Pennsylvania, it is not advisable to skip having an information security program in place. According to 31 PACO Section 146c.4, a licensee’s information security program must be designed to safeguard the security and confidentiality of customer information, protect against any reasonably anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer. Additionally, 31 PACO Section 146c.9 requires the licensee to monitor, evaluate, and adjust the information security program as appropriate in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems. Therefore, it is important to have an information security program in place in Pennsylvania to comply with these requirements and protect customer information. ^[1.2][1.3]

Source(s):

• [1.2] Objectives of information security program.
• [1.3] Adjust the program.

Jurisdiction

Pennsylvania

• Privacy