Section 27-62-3


For purposes of this chapter, the following words have the following meanings:

(1) AUTHORIZED INDIVIDUAL. An individual known to and screened by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.

(2) COMMISSIONER. The Commissioner of Insurance.

(3) CONSUMER. An individual, including, but not limited to, an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of this state and whose nonpublic information is in the possession, custody, or control of a licensee.

(4)a. CYBERSECURITY EVENT. An event resulting in unauthorized access to, disruption, or misuse of an information system or nonpublic information stored on an information system.

b. The term cybersecurity event does not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization.

c. Cybersecurity event does not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

(5) DEPARTMENT. The Department of Insurance.

(6) ENCRYPTED. The transformation of data into a form which results in a low probability of assigning meaning without the use of a protective process or key.

(7) INFORMATION SECURITY PROGRAM. The administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.

(8) INFORMATION SYSTEM. A discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

(9) LICENSEE. Any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

(10) MULTI-FACTOR AUTHENTICATION. Authentication through verification of at least two of the following types of authentication factors:

a. Knowledge factors, such as a password.

b. Possession factors, such as a token or text message on a mobile phone.

c. Inherence factors, such as a biometric characteristic.

(11) NONPUBLIC INFORMATION. Electronic information that is not publicly available information and is any of the following:

a. Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with any one or more of the following data elements:

1. The Social Security number.

2. The driver's license number or nondriver identification card number.

3. Any financial account number or a credit or debit card number.

4. Any security code, access code, or password that would permit access to a consumer's financial account.

5. Biometric records.

b. Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to any of the following:

1. The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer's family.

2. The provision of health care to any consumer.

3. Payment for the provision of health care to any consumer.

(12) PERSON. Any individual or any nongovernmental entity, including, but not limited to, any nongovernmental partnership, corporation, branch, agency, or association.

(13)a. PUBLICLY AVAILABLE INFORMATION. Any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law.

b. For the purposes of this definition, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine both of the following:

1. That the information is of the type that is available to the general public.

2. Whether a consumer can direct that the information not be made available to the general public and, if so, that the consumer has not done so.

(14) RISK ASSESSMENT. The risk assessment that each licensee is required to conduct under subsection (c) of Section 27-62-4.

(15) STATE. The State of Alabama.

(16) THIRD-PARTY SERVICE PROVIDER. A person, not defined as a licensee, who contracts with a licensee to maintain, process, store, or access nonpublic information through the provision of services to the licensee.

(Act 2019-98, §3.)