Learn About The Law
Get help with your legal needs
FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.
North Dakota Century Code Title 13. Debtor and Creditor Relationship § 13-01.2-03. Elements of a security program
Current as of January 01, 2024 | Updated by Findlaw Staff
1. A financial corporation's information security program must denote a designation of a qualified individual responsible for overseeing and implementing the financial corporation's information security program and enforcing the financial corporation's information security program. The qualified individual may be employed by the financial corporation, an affiliate, or a service provider.
2. If a financial corporation designates an individual employed by an affiliate or service provider as the qualified individual, the financial corporation shall:
a. Retain responsibility for compliance with this chapter;
b. Designate a senior member of the financial corporation's personnel to be responsible for directing and overseeing the qualified individual; and
c. Require the service provider or affiliate to maintain an information security program that protects the financial corporation in accordance with the requirements of this chapter.
3. A financial corporation shall base the financial corporation's information security program on a risk assessment that:
a. Identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of customer information;
b. Assesses the sufficiency of any safeguards in place to control the risks in subdivision a; and
c. Includes additional periodic risk assessments that:
(1) Re-examine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information; and
(2) Reassess the sufficiency of any safeguards in place to control these risks.
4. The risk assessment must be in writing and include:
a. Criteria to evaluate and categorize identified security risks or threats the financial corporation faces;
b. Criteria for the assessment of the confidentiality, integrity, and availability of the financial corporation's information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats the financial corporation faces; and
c. Requirements describing how:
(1) Identified risks will be mitigated or accepted based on the risk assessment; and
(2) The information security program will address the risks.
5. A financial corporation shall design and implement safeguards to control the risks the financial corporation identifies through the risk assessment in subsection 4, which include:
a. Implementing and periodically reviewing access controls, including technical and as appropriate, physical controls to:
(1) Authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information; and
(2) Limit an authorized user's access to only customer information the authorized user needs to perform the authorized user's duties and functions, or in the case of a customer, to access the customer's own information.
b. Identifying and managing data, personnel, devices, systems, and facilities that enable the financial corporation to achieve business purposes in accordance with the business purpose's relative importance to business objectives and the financial corporation's risk strategy.
c. Protecting by encryption all customer information held or transmitted by the financial corporation both in transit over external networks and at rest. To the extent a financial corporation determines that encryption of customer information, either in transit over external networks or at rest, is infeasible, the financial corporation may secure customer information using effective alternative compensating controls reviewed and approved by the financial corporation's qualified individual.
d. Adopting secure development practices for in-house developed applications utilized by the financial corporation for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications the financial corporation utilizes to transmit, access, or store customer information.
e. Implementing multifactor authentication for any individual accessing any information system, unless the financial corporation's qualified individual has approved in writing the use of a reasonably equivalent or more secure access control.
f. Developing, implementing, and maintaining procedures to securely dispose of customer information, in any format, no later than two years after the last date the information is used in connection with providing a product or service to the customer which it relates, unless:
(1) The information is necessary for business operations or for other legitimate business purposes;
(2) Is otherwise required to be retained by law or regulation; or
(3) Where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
g. Periodically reviewing the financial corporation's data retention policy to minimize unnecessary retention of data.
h. Adopting procedures for change management.
i. Implementing policies, procedures and controls designed to:
(1) Monitor and log the activity of authorized users; and
(2) Detect unauthorized access to, use of, or tampering with customer information by authorized users.
6. a. A financial corporation shall regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures, including the controls, systems, and procedures to detect actual and attempted attacks on, or intrusions into, information systems.
b. Information systems monitoring and testing must include continuous monitoring or periodic penetration testing, and vulnerability assessments. Without effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, a financial corporation shall conduct:
(1) Annual penetration testing of the financial corporation's information systems based on relevant identified risks in accordance with the risk assessment; and
(2) Vulnerability assessments, including systemic scans or information systems reviews that are reasonably designed to identify publicly known security vulnerabilities in the financial corporation's information systems based on the risk assessment, at least every six months; whenever there are material changes to the financial corporation's operations or business arrangements; and whenever there are circumstances the financial corporation knows or has reason to know may have a material impact on the financial corporation's information security program.
7. A financial corporation shall implement policies and procedures to ensure the financial corporation's personnel are able to enact the financial corporation's information security program by:
a. Providing the financial corporation's personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;
b. Utilizing qualified information security personnel employed by the financial corporation or an affiliate or service provider sufficient to manage the financial corporation's information security risks and to perform or oversee the information security program;
c. Providing information security personnel with security updates and training sufficient to address relevant security risks; and
d. Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.
8. A financial corporation shall oversee service providers by:
a. Taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for customer information;
b. Requiring, by contract, the financial corporation's service providers implement and maintain appropriate safeguards; and
c. Periodically assessing the financial corporation's service providers based on the risk they present, and the continued adequacy of the service providers' safeguards.
9. A financial corporation shall evaluate and adjust the financial corporation's information security program by incorporating:
a. The results of the testing and monitoring required under subsection 5;
b. Any material changes to the financial corporation's operations or business arrangements;
c. The results of risk assessments performed under subsection 3; or
d. Any other circumstances that the financial corporation knows or has reason to know may have a material impact on the financial corporation's information security program.
10. A financial corporation shall establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information the financial corporation controls. The plan must address:
a. The goals of the incident response plan;
b. The internal processes for responding to a security event;
c. Clear roles, responsibilities, and levels of decisionmaking authority;
d. External and internal communications and information sharing;
e. Requirements for the remediation of any identified weaknesses in information systems and associated controls;
f. Documentation and reporting regarding security events and related incident response activities; and
g. The evaluation and revision of the incident response plan, as necessary, after a security event.
11. A financial corporation shall require the financial corporation's qualified individual to report in writing, at least annually, to the financial corporation's board of directors or equivalent governing body. If no board of directors or equivalent governing body exists, the report shall be timely presented to a senior officer responsible for the financial corporation's information security program. The report must include:
a. The overall status of the information security program, and the financial corporation's compliance with this chapter and associated rules; and
b. Material matters related to the information security program, addressing issues including risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the information security program.
12. a. A financial corporation shall notify the commissioner about notification events.
b. After discovery of a notification event described in subdivision c, if the notification event involves the information of at least five hundred consumers, the financial corporation shall notify the commissioner as soon as possible, and no later than forty-five days after the event is discovered. The notice must be made in a format specified by the commissioner and include:
(1) The name and contact information of the reporting financial corporation;
(2) A description of the types of information involved in the notification event;
(3) The date or date range of the notification event, if the information is possible to determine;
(4) The number of consumers affected or potentially affected by the notification event;
(5) A general description of the notification event; and
(6) A statement whether any law enforcement official has provided the financial corporation with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the commissioner to contact the law enforcement official. A law enforcement official may request an initial delay of up to forty-five days following the date when notice was provided to the commissioner. The delay may be extended for an additional period of up to sixty days if the law enforcement official seeks an extension in writing.
c. A notification event must be treated as discovered on the first day when the event is known to the financial corporation. A financial corporation is deemed to have knowledge of a notification event if the event is known to any employee, officer, or other agent of the financial corporation, other than the person committing the breach.
13. A financial corporation shall establish a written plan addressing business continuity and disaster recovery.
Cite this article: FindLaw.com - North Dakota Century Code Title 13. Debtor and Creditor Relationship § 13-01.2-03. Elements of a security program - last updated January 01, 2024 | https://codes.findlaw.com/nd/title-13-debtor-and-creditor-relationship/nd-cent-code-sect-13-01-2-03/
FindLaw Codes may not reflect the most recent version of the law in your jurisdiction. Please verify the status of the code you are researching with the state legislature before relying on it for your legal needs.
Was this helpful?
Welcome to FindLaw's Cases & Codes
A free source of state and federal court opinions, state laws, and the United States Code. For more information about the legal concepts addressed by these cases and statutes, visit FindLaw’s Learn About the Law.
Latest Blog Posts
For Legal Professionals
Need to Find an Attorney?
Search our directory by legal issue
Enter information in one or both fields (Required)