1. If a licensee discovers that a cybersecurity event has occurred, or that a cybersecurity
event may have occurred, the licensee, or the outside vendor or third-party service
provider the licensee has designated to act on behalf of the licensee, shall conduct
a prompt investigation of the event.
2. During the investigation, the licensee, outside vendor, or third-party service
provider the licensee has designated to act on behalf of the licensee, shall, at a
minimum, determine as much of the following as possible:
a. Confirm that a cybersecurity event has occurred.
b. Assess the nature and scope of the cybersecurity event.
c. Identify all nonpublic information that may have been compromised by the cybersecurity
d. Perform or oversee reasonable measures to restore the security of any compromised
information systems in order to prevent further unauthorized acquisition, release,
or use of nonpublic information that is in the licensee's possession, custody, or
3. If a licensee learns that a cybersecurity event has occurred, or may have occurred,
in an information system maintained by a third-party service provider of the licensee,
the licensee shall complete an investigation in compliance with this section, or confirm
and document that the third-party service provider has completed an investigation
in compliance with this section.
4. A licensee shall maintain all records and documentation related to the licensee's
investigation of a cybersecurity event for a minimum of five years from the date of
the event, and shall produce the records and documentation upon demand of the commissioner.
FindLaw Codes may not reflect the most recent version of the law in your jurisdiction. Please verify the status of the code you are researching with the state legislature or via Westlaw before relying on it for your legal needs.
Was this helpful?
Welcome to FindLaw's Cases & Codes
A free source of state and federal court opinions, state laws, and the United States Code. For more information about the legal concepts addressed by these cases and statutes, visit FindLaw's Learn About the Law.