(1) Generally, applicants and licensees must have a written program appropriate to the company's size and complexity, the activity conducted, and the sensitivity of information at issue. The program must ensure the information's security and confidentiality, protect against anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of the information.
(2) Specifically, at a minimum the program described in subsection (1) of this section must:
(a) Designate an employee or employees to coordinate the information security program;
(b) Identify and assess the risks to customer information;
(c) Design and implement information safeguards to control the risks identified in the risk assessment and regularly monitor and test the safeguards;
(d) Select service providers that can maintain appropriate safeguards and oversee their handling of customer information; and
(e) At least annually evaluate and adjust the program in light of relevant circumstances, including changes in business or operations, or the results of testing and monitoring the effectiveness of the implemented safeguards.
(3) The information security program must be maintained as part of your books and records.
(4) For more information access the FTC website on the Safeguard Rules at: https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying and see 16 C.F.R. 314.
[Statutory Authority: Chapter
43.320 RCW, RCW
18.44.410. WSR 16-08-028, § 208-680-532, filed 3/30/16, effective 4/30/16.]