(a) The following exceptions shall apply to this chapter:
(1) A licensee is exempt from Section 27-62-4 if any of the following criteria apply:
a. The licensee has fewer than 25 employees.
b. The licensee has less than $5 million in gross annual revenue.
c. The license has less than $10 million in year-end total assets.
(2) A licensee subject to Pub.L. 104-191, 110 Stat. 1936, enacted August 21, 1996 (Health Insurance Portability and Accountability Act), that has established and maintains an information security program pursuant to the statutes, rules, regulations, procedures, or guidelines established thereunder, shall be considered to meet the requirements of this chapter, provided that licensee is compliant with and submits a written statement certifying its compliance with Pub. L. 104-191.
(3) An employee, agent, representative, or designee of a licensee who is also a licensee is exempt from this chapter and is not required to develop its own information security program to the extent that the employee, agent, representative, or designee is covered by the information security program of the other licensee.
(4) A licensee affiliated with a depository institution that maintains an Information Security Program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information as set forth pursuant to Sections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. §§6801 and 6805) shall be considered to meet the requirements of Section 27-62-4, provided that the licensee produces, upon request, documentation satisfactory to the commissioner that independently validates the affiliated depository institution's adoption of an Information Security Program that satisfies the Interagency Guidelines.
(b) In the event a licensee ceases to qualify for an exemption, the licensee shall have 180 days to comply with this chapter.