RSA 420-P:3 · Definitions

420-P:3 Definitions. – In this chapter:

Copy link

I.

"Authorized individual" means an individual known to and screened by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.

Copy link

II.

"Commissioner" means the insurance commissioner.

Copy link

III.

"Consumer" means an individual, including, but not limited to, an applicant, policyholder, insured, beneficiary, claimant, and certificate holder, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control.

Copy link

IV.

"Cybersecurity event" means an event resulting in unauthorized access to, disruption or misuse of, an information system or nonpublic information stored on such information system. The term shall not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization. A cybersecurity event shall not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

Copy link

V.

"Department" means the insurance department.

Copy link

VI.

"Encrypted" means the transformation of data into a form which results in a low probability of assigning meaning without the use of a protective process or key.

Copy link

VII.

"Information security program" means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.

Copy link

VIII.

"Information system" means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

Copy link

IX.

"Licensee" means any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this state or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Copy link

X.

"Multi-factor authentication" means authentication through verification of at least 2 of the following types of authentication factors:

Copy link

(a)

Knowledge factors, such as a password;

Copy link

(b)

Possession factors, such as a token or text message on a mobile phone; or

Copy link

(c)

Inherence factors, such as a biometric characteristic.

Copy link

XI.

"Nonpublic information" means information that is not publicly available information and is:

Copy link

(a)

Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify such consumer, in combination with any one or more of the following data elements:

Copy link

(1)

Social Security number.

Copy link

(2)

Driver's license number or non-driver identification card number.

Copy link

(3)

Financial account number, credit or debit card number.

Copy link

(4)

Any security code, access code, or password that would permit access to a consumer's financial account.

Copy link

(5)

Biometric records.

Copy link

(b)

Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to:

Copy link

(1)

The past, present, or future physical, mental or behavioral health or condition of any consumer or a member of the consumer's family;

Copy link

(2)

The provision of health care to any consumer; or

Copy link

(3)

Payment for the provision of health care to any consumer.

Copy link

XII.

"Person" means any individual or any non-governmental entity, including but not limited to any non- governmental partnership, corporation, branch, agency, or association.

Copy link

XIII.

"Program" means information security program.

Copy link

XIV.

"Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from: federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law. For the purposes of this paragraph, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine:

Copy link

(a)

That the information is of the type that is available to the general public; and

Copy link

(b)

Whether a consumer can direct that the information not be made available to the general public and, if so, that such consumer has not done so.

Copy link

XV.

"Risk assessment" means the risk assessment that each licensee is required to conduct under RSA 420-P:4, III.

Copy link

XVI.

"State" means the state of New Hampshire.

Copy link

XVII.

"Third-party service provider" means a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee. Source. 2019, 309:1, eff. Jan. 1, 2020.

Copy link