§ 11-49.2-7 Agencies with security breach
procedures. –
Any state agency or person that maintains its own security breach procedures as
part of an information security policy for the treatment of personal
information and otherwise complies with the timing requirements of §
11-49.2-3, shall be deemed to be in compliance with the security breach
notification requirements of § 11-49.2-3, provided such person notifies
subject persons in accordance with such person's policies in the event of a
breach of security. Any person that maintains such a security breach procedure
pursuant to the rules, regulations, procedures or guidelines established by the
primary or functional regulator, as defined in 15 USC 6809(2), shall be deemed
to be in compliance with the security breach notification requirements of this
section, provided such person notifies subject persons in accordance with the
policies or the rules, regulations, procedures or guidelines established by the
primary or functional regulator in the event of a breach of security of the
system. A financial institution, trust company, credit union or its affiliates
that is subject to and examined for, and found in compliance with the Federal
Interagency Guidelines on Response Programs for Unauthorized Access to Customer
Information and Customer Notice shall be deemed in compliance with this
chapter. A provider of health care, health care service plan, health insurer,
or a covered entity governed by the medical privacy and security rules issued
by the federal Department of Health and Human Services, Parts 160 and 164 of
Title 45 of the Code of Federal Regulations, established pursuant to the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) shall be deemed in
compliance with this chapter.
(P.L. 2005, ch. 225, § 1.)