(a) Each covered entity and third-party agent shall implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.
(b) Reasonable security measures means security measures practicable for the covered entity subject to subsection (c), to implement and maintain, including consideration of all of the following:
(1) Designation of an employee or employees to coordinate the covered entity's security measures to protect against a breach of security. An owner or manager may designate himself or herself.
(2) Identification of internal and external risks of a breach of security.
(3) Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards.
(4) Retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information.
(5) Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information.
(6) Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures; provided, however, that the management of a government entity subject to this subdivision may be appropriately informed of the status of its security measures through a properly convened executive session under the Open Meetings Act pursuant to Section 36-25A-7.
(c) An assessment of a covered entity's security shall be based upon the entity's reasonable security measures as a whole and shall place an emphasis on data security failures that are multiple or systemic, including consideration of all the following:
(1) The size of the covered entity.
(2) The amount of sensitive personally identifying information and the type of activities for which the sensitive personally identifying information is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity.
(3) The covered entity's cost to implement and maintain the reasonable security measures to protect against a breach of security relative to its resources.