Can I store personal information about my customers in Missouri? What are the requirements?

Requirements for Storing Personal Information of Customers in Missouri

Yes, you can store personal information about your customers in Missouri, but you must comply with the Standards for Safeguarding Customer Information as outlined in MOCS 20 CSR 100-6.110 ^[1.1].

According to the regulation, you must implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.

Your information security program should be designed to:

• Ensure the security and confidentiality of customer information;
• Protect against any anticipated threats or hazards to the security or integrity of the information; and
• Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.

You must assess the risk, manage and control risk, oversee service provider arrangements, and adjust the program as necessary ^[1.1].

Additionally, you must comply with the Privacy of Financial Information regulation as outlined in MOCS 20 CSR 100-6.100 ^[1.2]. This regulation requires that you provide clear and conspicuous notice to your customers about your privacy policies and practices, including the types of information you collect, how you use and share the information, and how you protect the information. You must also provide customers with the opportunity to opt-out of certain information sharing practices ^[1.2].

Furthermore, you must comply with the Privacy of Computer-accessible, Confidential Personal Information regulation as outlined in MOCS 1 CSR 10-2.020 ^[2.1]. This regulation requires agencies to develop a policy and procedure to protect computer-accessible, confidential personal information. Agencies must maintain a current description of computer-accessible, confidential personal information, a list of agencies that have access to the information, and the reason the information is kept. The collecting agency must also identify the statute that is the basis to classify the personal information as confidential. A written agreement to protect the right to privacy of computer-accessible, confidential personal information must be signed before that information is provided by an agency to any other agency or private entity acting on behalf of an agency. The head of each agency or the agency’s designated representative shall annually certify that these rules are implemented ^[2.1].

Failure to comply with these regulations may result in penalties and legal action ^{[1.1][1.2][2.1]}.

Therefore, it is important to ensure that you have appropriate safeguards in place to protect your customers’ personal information and that you comply with all applicable regulations.

Source(s):

• [1.1] Standards for Safe- guarding Customer Information
• [2.1] Privacy of Computer-ac- cessible, Confidential Personal Informa- tion
• [1.2] Privacy of Financial Information

Jurisdiction

Missouri

• Privacy