eLaws | eCases | Utah Code | Utah Courts | Counties & Cities of Utah | Code of Federal Regulations |
 Utah Administrative Code (Current through November 1, 2019)
 R590. Insurance, Administration
 R590-216. Standards for Safeguarding Customer Information

  R590-216-6. Examples of Methods of Development and Implementation  

Latest version.

  • The actions and procedures described in this section are examples of methods of implementation of the requirements of Sections 4 and 5 of this rule. These examples are non-exclusive illustrations of actions and procedures that licensees may adopt to implement Sections 4 and 5 of this rule.

    (1) For risk assessment, the licensee may:

    (a) identify reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems;

    (b) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and

    (c) assess the sufficiency of policies, procedures, customer information systems and other safeguards in place to control risks.

    (2) For risk management and control, the licensee may:

    (a) design its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee's activities;

    (b) train staff, as appropriate, to implement the licensee's information security program; and

    (c) regularly test or otherwise regularly monitor the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment.

    (3) For service provider arrangement oversight, the licensee may:

    (a) exercise appropriate due diligence in selecting its service providers; and

    (b) require its service providers to implement appropriate measures designed to meet the objectives of this rule, and, where indicated by the licensee's risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.

    (4) For program adjustment, the licensee may monitor, evaluate and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems.