(a) A licensee’s information security program shall be designed to:
Terms Used In Hawaii Revised Statutes 431:3B-202
Consumer: means an individual, including but not limited to applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a resident of this State and whose nonpublic information is in a licensee's possession, custody, or control. See Hawaii Revised Statutes 431:3B-101
Risk assessment: means the risk assessment that each licensee is required to conduct under section 431:3B-202. See Hawaii Revised Statutes 431:3B-101
Third-party service provider: means a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, store, or otherwise is permitted access to nonpublic information through its provision of services to the licensee. See Hawaii Revised Statutes 431:3B-101
(1) Protect the security and confidentiality of nonpublic information and the security of the information system;(2) Protect against any threats or hazards to the security or integrity of nonpublic information and the information system;(3) Protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer; and(4) Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.(b) Regarding risk assessment, the licensee shall:
(1) Designate one or more employees, an affiliate, or a third-party service provider to act on behalf of the licensee who is responsible for the information security program;(2) Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to or held by third-party service providers;(3) Assess the likelihood and potential damage of the reasonably foreseeable internal or external threats, taking into consideration the sensitivity of the nonpublic information;(4) Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the reasonably foreseeable internal or external threats, including consideration of threats in each relevant area of the licensee’s operations, including:
(A) Employee training and management;(B) Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and(C) Detecting, preventing, and responding to attacks, intrusions, or other systems failures; and(5) Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards’ key controls, systems, and procedures.
