(1) fewer than fifty (50) employees;

(3) less than ten million dollars ($10,000,000) in year-end total assets.

     (b) A licensee that:

(1) is subject to the federal Health Insurance Portability and Accountability Act (Pub.L. 104-191, 110 Stat. 1936, enacted August 21, 1996); and

(2) has established and maintains an information security program pursuant to that federal act and the regulations, procedures, or guidelines established under that act;

will be considered as meeting the requirements of this chapter, except for the notice requirements described in section 21 of this chapter.

     (c) An individual who:

(1) is an employee, agent, representative, or designee of a licensee; and

(2) is also a licensee;

is exempt from sections 16 through 20 of this chapter and need not develop the individual’s own information security program to the extent that the individual is covered by the information security program of the licensee of which the individual is an employee, agent, representative, or designee.

     (d) A licensee shall be considered to have complied with sections 16 through 20 of this chapter if the licensee is affiliated with a financial institution (as defined in 15 U.S.C. § 6809) that maintains an information security program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Consumer Information adopted under Sections 501 and 505(b) of the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 and 6805(b)).

     (e) If a licensee ceases to qualify for an exception under subsection (a), (b), (c), or (d), the licensee must comply with sections 16 through 20 of this chapter not more than one hundred eighty (180) days after the licensee ceases to qualify for the exception.

As added by P.L.130-2020, SEC.10.