There is a newer version of this Section
2023
2022 (you are here)
2021
2020
2019
Other previous versions
View our newest version here

2022 Hawaii Revised Statutes
Title 24. Insurance
431. Insurance Code
431:3B-202 Objectives of the information security program; risk assessment.

Universal Citation: HI Rev Stat § 431:3B-202 (2022)
Previous Next

§431:3B-202 Objectives of the information security program; risk assessment. (a) A licensee's information security program shall be designed to:

(1) Protect the security and confidentiality of nonpublic information and the security of the information system;

(2) Protect against any threats or hazards to the security or integrity of nonpublic information and the information system;

(3) Protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer; and

(4) Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.

(b) Regarding risk assessment, the licensee shall:

(1) Designate one or more employees, an affiliate, or a third-party service provider to act on behalf of the licensee who is responsible for the information security program;

(2) Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to or held by third-party service providers;

(3) Assess the likelihood and potential damage of the reasonably foreseeable internal or external threats, taking into consideration the sensitivity of the nonpublic information;

(4) Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the reasonably foreseeable internal or external threats, including consideration of threats in each relevant area of the licensee's operations, including:

(A) Employee training and management;

(B) Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and

(C) Detecting, preventing, and responding to attacks, intrusions, or other systems failures; and

(5) Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. [L 2021, c 112, pt of §2]

Previous Next
Disclaimer: These codes may not be the most recent version. Hawaii may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.