(1) “Authorized individual” means an individual known to and screened by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and the licensee’s information systems;
Terms Used In Tennessee Code 56-2-1003
Beneficiary: A person who is entitled to receive the benefits or proceeds of a will, trust, insurance policy, retirement plan, annuity, or other contract. Source: OCC
Code: includes the Tennessee Code and all amendments and revisions to the code and all additions and supplements to the code. See Tennessee Code 1-3-105
Commissioner: means the commissioner of commerce and insurance, or the commissioner's designee. See Tennessee Code 56-2-1003
Consumer: means an individual, including an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control. See Tennessee Code 56-2-1003
Corporation: A legal entity owned by the holders of shares of stock that have been issued, and that can own, receive, and transfer property, and carry on business in its own name.
Encrypted: means the transformation of data into a form that results in a low probability that its meaning is discernible without the use of a protective process or key. See Tennessee Code 56-2-1003
Information system: means : (A) A discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information. See Tennessee Code 56-2-1003
Jurisdiction: (1) The legal authority of a court to hear and decide a case. Concurrent jurisdiction exists when two courts have simultaneous responsibility for the same case. (2) The geographic area over which the court has authority to decide cases.
Nonpublic information: means information that is not publicly available and that is:(A) Business-related information of a licensee, in which the tampering with, unauthorized disclosure of, access to, or use of, would cause a material adverse impact to the business, operations, or security of the licensee. See Tennessee Code 56-2-1003
Partnership: A voluntary contract between two or more persons to pool some or all of their assets into a business, with the agreement that there will be a proportional sharing of profits and losses.
Person: means an individual or non-governmental entity, including a sole proprietorship, corporation, limited liability company, partnership, trust, religious organization, association, nonprofit organization described in §. See Tennessee Code 56-2-1003
sex: means a person's immutable biological sex as determined by anatomy and genetics existing at the time of birth and evidence of a person's biological sex. See Tennessee Code 1-3-105
State: when applied to the different parts of the United States, includes the District of Columbia and the several territories of the United States. See Tennessee Code 1-3-105
(2) “Commissioner” means the commissioner of commerce and insurance, or the commissioner’s designee;(3) “Consumer” means an individual, including an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of this state and whose nonpublic information is in a licensee’s possession, custody, or control;(4) “Cybersecurity event”:
(A) Means an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system; and(B) Does not include:
(i) The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization; or(ii) An event in which the licensee determines that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed;(5) “Department” means the department of commerce and insurance;(6) “Encrypted” means the transformation of data into a form that results in a low probability that its meaning is discernible without the use of a protective process or key;(7) “Immediate family” means a spouse; child or grandchild by blood, adoption, or marriage; sibling; parent; or grandparent;(8) “Information security program” means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information;(9) “Information system” means:
(A) A discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information; or(B) A specialized system, including an industrial or process control system, a telephone switching and private branch exchange system, and an environmental control system;(10) “Licensee”:
(A) Means a person:
(i) Licensed, authorized to operate, or registered pursuant to this title; or(ii) Required to be licensed, authorized to operate, or registered pursuant to this title; and(B) Does not include a purchasing group or risk retention group chartered and licensed in another state or a person acting as an assuming insurer and domiciled in another state or jurisdiction;(11) “Multi-factor authentication” means authentication through verification of at least two (2) of the following types of authentication factors:
(A) Knowledge factors, such as by a password;(B) Possession factors, such as by a token or text message on a mobile phone; or(C) Inherence factors, such as by a biometric characteristic;(12) “Nonpublic information” means information that is not publicly available and that is:
(A) Business-related information of a licensee, in which the tampering with, unauthorized disclosure of, access to, or use of, would cause a material adverse impact to the business, operations, or security of the licensee;(B) Information concerning a consumer that, because of a name, number, personal mark, or other identifier, can be used to identify that consumer, in combination with the following:
(i) A social security number;(ii) A driver license number or non-driver identification card number;(iii) A financial account number or credit or debit card number;(iv) A security code, access code, or password that would permit access to the consumer’s financial accounts; or(v) Biometric records; or(C) Information or data, except a person’s age or sex, created by or derived from a healthcare provider or a consumer that relates to:
(i) The past, present, or future physical, mental, or behavioral health or health condition of a consumer or a member of a consumer’s immediate family;(ii) The provision of health care to a consumer; or(iii) Payment for the provision of health care to a consumer;(13) “Person” means an individual or non-governmental entity, including a sole proprietorship, corporation, limited liability company, partnership, trust, religious organization, association, nonprofit organization described in § 501(c) of the Internal Revenue Code that is exempt from federal income taxation under § 501(a) of the Internal Revenue Code (26 U.S.C. § 501(a)), or another legal entity, whether formed as a for-profit or not-for-profit entity;(14) “Publicly available information” means information that a licensee has a reasonable basis to believe is lawfully made available to the public. For purposes of this subdivision (14), a licensee has a reasonable basis to believe that information is lawfully made available to the public if the licensee has taken steps reasonably necessary to determine:
(A) That the information is of a type that is available to the public through government records, widely distributed media, or public disclosures required by law; or(B) That a consumer can direct that the information not be made available to the public and, if so, that the consumer has not made that direction;(15) “Risk assessment” means the risk assessment that each licensee must conduct under § 56-2-1004(3); and(16) “Third-party service provider” means a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, or store, or is otherwise permitted access to maintain, process, or store, nonpublic information through its provision of services to the licensee.
