LIS

Administrative Code

Creating a Report: Check the sections you'd like to appear in the report, then use the "Create Report" button at the bottom of the page to generate your report. Once the report is generated you'll then have the option to download it as a pdf, print or email the report.

Virginia Administrative Code
Title 14. Insurance
Agency 5. State Corporation Commission, Bureau of Insurance
Chapter 430. Insurance Data Security Risk Assessment and Reporting
12/7/2024

14VAC5-430-30. Definitions.

The following words and terms when used in this chapter shall have the following meanings, unless context clearly indicates otherwise:

"Authorized person" means a person known to and authorized by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.

"Bureau" means the Bureau of Insurance.

"Commissioner" means the Commissioner of Insurance.

"Consumer" means an individual, including any applicant, policyholder, former policyholder, insured, beneficiary, claimant, and certificate holder, who is a resident of Virginia and whose nonpublic information is in the possession, custody, or control of a licensee or an authorized person.

"Cybersecurity event" means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information in the possession, custody, or control of a licensee or an authorized person. "Cybersecurity event" does not include (i) the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization or (ii) an event in which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

"Encrypted" or "encryption" means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.

"Home state" means the jurisdiction in which the producer maintains its principal place of residence or principal place of business and is licensed by that jurisdiction to act as a resident insurance producer.

"Information security program" means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.

"Information system" means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system, such as industrial or process control systems, telephone switching and private branch exchange systems, and environmental control systems.

"Licensee" means any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Virginia. "Licensee" does not include a purchasing group or a risk retention group chartered and licensed in a state other than Virginia or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

"Multi-factor authentication" means authentication through verification of at least two of the following types of authentication factors:

1. Knowledge factors, such as a password;

2. Possession factors, such as a token or text message on a mobile device; or

3. Inherence factors, such as a biometric characteristic.

"Nonpublic information" means information that is not publicly available information and is:

1. Business-related information of a licensee the tampering with which, or the unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;

2. Any information concerning a consumer that because of name, number, personal mark, or other identifier can be used to identify such consumer, in any combination with a consumer's (i) social security number; (ii) driver's license number or nondriver identification card number; (iii) financial account, credit card, or debit card number; (iv) security code, access code, or password that would permit access to a consumer's financial account; (v) passport number; (vi) military identification number; or (vii) biometric records; or

3. Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify a particular consumer, and that relates to (i) the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer's family; (ii) the provision of health care to any consumer; or (iii) payment for the provision of health care to any consumer.

"Nonpublic information" does not include a consumer's personally identifiable information that has been anonymized using a method no less secure than the safe harbor method under HIPAA.

"Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law. A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine (i) that the information is of the type that is available to the general public and (ii) whether a consumer can direct that the information not be made available to the general public and, if so, that such consumer has not done so.

"Third-party service provider" means a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, or store nonpublic information or otherwise is permitted access to nonpublic information through its provision of services to the licensee, or an insurance-support organization.

Statutory Authority

§§ 12.1-13 and 38.2-223 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 37, Issue 21, eff. June 1, 2021; Errata, 37:23 VA.R. 3482 July 5, 2021.

Website addresses provided in the Virginia Administrative Code to documents incorporated by reference are for the reader's convenience only, may not necessarily be active or current, and should not be relied upon. To ensure the information incorporated by reference is accurate, the reader is encouraged to use the source document described in the regulation.

As a service to the public, the Virginia Administrative Code is provided online by the Virginia General Assembly. We are unable to answer legal questions or respond to requests for legal advice, including application of law to specific fact. To understand and protect your legal rights, you should consult an attorney.