(a) Each covered entity and third-party agent shall implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.
(b) Reasonable security measures means security measures practicable for the covered entity subject to subsection (c), to implement and maintain, including consideration of all of the following:
(1) Designation of an employee or employees to coordinate the covered entity's security measures to protect against a breach of security. An owner or manager may designate himself or herself.
(2) Identification of internal and external risks of a breach of security.
(3) Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards.
(4) Retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information.
(5) Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information.
(6) Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures; provided, however, that the management of a government entity subject to this subdivision may be appropriately informed of the status of its security measures through a properly convened executive session under the Open Meetings Act pursuant to Section 36-25A-7.
(c) An assessment of a covered entity's security shall be based upon the entity's reasonable security measures as a whole and shall place an emphasis on data security failures that are multiple or systemic, including consideration of all the following:
(1) The size of the covered entity.
(2) The amount of sensitive personally identifying information and the type of activities for which the sensitive personally identifying information is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity.
(3) The covered entity's cost to implement and maintain the reasonable security measures to protect against a breach of security relative to its resources.
Copyright ©2024 LegalFix. All rights reserved. LegalFix is not a law firm, is not licensed to practice law, and does not provide legal advice, services, or representation. The information on this website is an overview of the legal plans you can purchase—or that may be provided by your employer as an employee benefit or by your credit union or other membership group as a membership benefit.
LegalFix provides its members with easy access to affordable legal services through a network of independent law firms. LegalFix, its corporate entity, and its officers, directors, employees, agents, and contractors do not provide legal advice, services, or representation—directly or indirectly.
The articles and information on the site are not legal advice and should not be relied upon—they are for information purposes only. You should become a LegalFix member to get legal services from one of our network law firms.
You should not disclose confidential or potentially incriminating information to LegalFix—you should only communicate such information to your network law firm.
The benefits and legal services described in the LegalFix legal plans are not always available in all states or with all plans. See the legal plan Benefit Overview and the more comprehensive legal plan contract during checkout for coverage details in your state.
Use of this website, the purchase of legal plans, and access to the LegalFix networks of law firms are subject to the LegalFix Terms of Service and Privacy Policy.