GENERAL ASSEMBLY OF NORTH CAROLINA

SESSION 2003

 

 

SESSION LAW 2003-262

SENATE BILL 966

 

 

AN ACT to require insurers to implement safeguards for the protection of CUSTOMER information, pursuant to the provisions of the gramm-leach-bliley act.

 

The General Assembly of North Carolina enacts:

 

SECTION 1.  The heading for Article 39 of Chapter 58 of the General Statutes reads as rewritten:

"Article 39.

Insurance Information and Privacy Protection Act.

Consumer and Customer Information Privacy."

SECTION 2.  Article 39 of Chapter 58 of the General Statutes is amended by:

(1)       Designating G.S. 58-39-1 through G.S. 58-39-76 as:

"Part 1. Insurance Information and Privacy Protection."

(2)       Designating G.S. 58-39-80 through G.S. 58-39-125 as:

"Part 2. Enforcement, Sanctions, Remedies, and Rights." and

(3)       Recodifying G.S. 58-39-70 as G.S. 58-39-125.

SECTION 3.  G.S. 58-39-1 reads as rewritten:

"§ 58-39-1.  Short title.titles.

This Article may be cited as the Consumer and Customer Information Privacy Act. Part 1 of this Article may be cited as the Insurance Information and Privacy Protection Act. Part 3 of this Article may be cited as the Customer Information Safeguards Act."

SECTION 4.  Article 39 of Chapter 58 of the General Statutes is amended by adding a new Part to read:

"Part 3. Customer Information Safeguards.

"§ 58-39-130. Purpose.

The purpose of this Part is to establish standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information, as required by sections 501, 505(b), and 507 of the federal Gramm-Leach-Bliley Act (Public Law 106-102), codified as 15 U.S.C. §§ 6801, 6805(b), and 6807. The purpose of this Part is also to provide privacy and security protection consistent with federal regulations governing the privacy and security of medical records when this Part is consistent with those federal regulations. In those instances in which this Part and the federal regulations are inconsistent and this Part provides privacy and security protection beyond that offered by the federal regulations, the purpose of this Part is to provide that additional privacy and security protection.

"§ 58-39-135.  Scope.

The safeguards established under this Part apply to all customer information as defined in G.S. 58-39-140.

"§ 58-39-140.  Definitions.

As used in this Part, in addition to the definitions in G.S. 58-39-15:

(1)       'Customer' means an applicant with or policyholder of a licensee.

(2)       'Customer information' means nonpublic personal information about a customer, whether in paper, electronic, or other form that is maintained by or on behalf of the licensee.

(3)       'Customer information systems' means the electronic or physical methods used to access, collect, store, use, transmit, protect, or dispose of customer information.

(4)       'Licensee' means any producer, as defined in G.S. 58-33-10(7), insurer, MEWA, HMO, or service corporation governed by this Chapter. 'Licensee' does not mean:

a.         An insurance-support organization.

b.         A licensee who is a natural person operating within the scope of the licensee's employment by or affiliation with an insurer or producer.

c.         A surplus lines insurer or licensee under Article 21 of this Chapter.

(5)       'Service provider' means a person that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the licensee and includes an insurance support organization.

"§ 58-39-145.  Information security program.

Each licensee shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.

"§ 58-39-150.  Objectives of information security program.

A licensee's information security program shall be designed to:

(1)       Ensure the security and confidentiality of customer information;

(2)       Protect against any anticipated threats or hazards to the security or integrity of the information; and

(3)       Protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.

"§ 58-39-155.  Rules.

The Commissioner may adopt rules that the Commissioner deems necessary to carry out the purposes of this Part, including rules that govern licensee oversight of service providers with which it contracts or has a relationship.

"§ 58-39-160.  Violation.

A violation of G.S. 58-39-145 or G.S. 58-39-150 subjects the violator to Part 2 of this Article.

"§ 58-39-165.  Effective date.

Each licensee shall establish an information security program, including appropriate policies and systems under this Part by April 1, 2005."


SECTION 5.  This act is effective when it becomes law.

In the General Assembly read three times and ratified this the 18th day of June, 2003.

 

 

                                                                    s/ Beverly E. Perdue

                                                                         President of the Senate

 

 

                                                                    s/ Richard T. Morgan

                                                                         Speaker of the House of Representatives

 

 

                                                                    s/ Michael F. Easley

                                                                         Governor

 

 

Approved 12:52 p.m. this 26th day of June, 2003