(1) In this article:(1) “Authorized user” means an employee, contractor, agent, or other person that participates in a financial institution's business operations and is authorized to access and use a financial institution's information systems and data.(2) “Consumer” means an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.(3) “Customer” means a consumer who has a customer relationship with a financial institution.(4) “Customer information” means a record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of a financial institution or the financial institution's affiliates.(5) “Customer relationship” means a continuing relationship between a consumer and a financial institution under which the financial institution provides to the consumer one or more financial products or services that are used primarily for personal, family, or household purposes.(6) “Encryption” means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.(7) “Financial institution” means a money services business licensed under this chapter.(8) (A) “Financial product or service” means a product or service that a financial holding company could offer by engaging in a financial activity under section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. § 1843(k), as it existed on January 1, 2025.(B) “Financial product or service” includes a financial institution's evaluation or brokerage of information that a financial institution collects in connection with a request or an application from a consumer for a financial product or service.(9) “Information security program” means the administrative, technical, or physical safeguards a financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.(10) “Information system” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, including any specialized system such as an industrial controls system or process controls system, telephone switching and private branch exchange system, and environmental controls system, that contains customer information or that is connected to a system that contains customer information.(11) “Multi-factor authentication” means authentication through verification of at least 2 of the following types of authentication factors:(A) knowledge factors, including without limitation a password;(B) possession factors, including without limitation a token; or(C) inherence factors, including without limitation biometric characteristics.(12) (A) “Nonpublic personal information” means:(i) personally identifiable financial information; and(ii) a list, description, or other grouping of consumers, and publicly available information pertaining to a consumer, that is derived using personally identifiable financial information that is not publicly available.(B) “Nonpublic personal information” includes without limitation a list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available.(C) “Nonpublic personal information” does not include:(i) publicly available information except as included on a list described in subdivision (12)(A)(ii);(ii) a list, description, or other grouping of consumers, and publicly available information pertaining to the list, description, or other grouping of consumers, that is derived without using personally identifiable financial information that is not publicly available; or(iii) a list of individuals' names and addresses that contains only publicly available information and is not:(a) derived, in whole or in part, using personally identifiable financial information that is not publicly available; and(b) disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.(13) (A) “Notification event” means acquisition of unencrypted customer information without the authorization of an individual to which the information pertains.(B) For purposes of subdivision (13)(A):(i) customer information is considered unencrypted if the encryption key was accessed by an unauthorized person; and(ii) unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless a financial institution has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of the customer information.(14) “Penetration testing” means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside a financial institution's information systems.(15) (A) “Personally identifiable financial information” means information:(i) a consumer provides to a financial institution to obtain a financial product or service from a financial institution;(ii) about a consumer resulting from a transaction involving a financial product or service between a financial institution and a consumer; or(iii) a financial institution otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.(B) “Personally identifiable financial information” includes:(i) information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other financial product or service;(ii) account balance information, payment history, overdraft history, and credit or debit card purchase information;(iii) the fact that an individual is or has been a financial institution's customer or has obtained a financial product or service from a financial institution;(iv) information about a financial institution's consumer if the information is disclosed in a manner that indicates that the individual is or has been the financial institution's consumer;(v) information that a consumer provides to a financial institution or that a financial institution or a financial institution's agent otherwise obtains in connection with collecting on, or servicing, a credit account;(vi) information a financial institution collects through an internet cookie or the information collecting device from a computer server; and(vii) information from a consumer report.(C) “Personally identifiable financial information” does not include:(i) a list of names and addresses of customers of an entity that is not a financial institution; and(ii) information that does not identify a consumer, including aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.(16) (A) “Publicly available information” means information that a financial institution has a reasonable basis to believe is lawfully made available to the public from:(i) federal, state, or local government records;(ii) widely distributed media; or(iii) disclosures to the public that are required to be made by federal, state, or local law.(B) “Publicly available information” includes without limitation:(i) information in government records, including information in government real estate records and security interest filings; and(ii) (a) information from widely distributed media, including information from a telephone book, a television or radio program, a newspaper, or a website that is available to the public on an unrestricted basis.(b) A website is not restricted under subdivision (16)(B)(ii)(a) merely because an internet service provider or a site operator requires a fee or a password, so long as access is available to the public.(C) For purposes of this subdivision (16), a financial institution has a reasonable basis to believe that:(i) information is lawfully made available to the public if the financial institution has taken steps to determine:(a) that the information is of the type that is available to the public; and(b) whether an individual can direct that the information not be made available to the public and, if so, that the financial institution's consumer has not directed that the information not be made available to the public;(ii) mortgage information is lawfully made available to the public if the financial institution determines that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded; and(iii) an individual's telephone number is lawfully made available to the public if the financial institution has located the telephone number in a telephone directory or the consumer has informed the financial institution that the telephone number is not unlisted.(17) “Qualified individual” means an individual designated by a financial institution to oversee, implement, and enforce the financial institution's information security program.(18) “Security event” means an event resulting in unauthorized access to, or disruption or misuse of:(A) an information system or information stored on the information system; or(B) customer information held in physical form.(19) “Service provider” means a person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this article.
(1) “Authorized user” means an employee, contractor, agent, or other person that participates in a financial institution's business operations and is authorized to access and use a financial institution's information systems and data.
(2) “Consumer” means an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.
(3) “Customer” means a consumer who has a customer relationship with a financial institution.
(4) “Customer information” means a record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of a financial institution or the financial institution's affiliates.
(5) “Customer relationship” means a continuing relationship between a consumer and a financial institution under which the financial institution provides to the consumer one or more financial products or services that are used primarily for personal, family, or household purposes.
(6) “Encryption” means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.
(7) “Financial institution” means a money services business licensed under this chapter.
(8) (A) “Financial product or service” means a product or service that a financial holding company could offer by engaging in a financial activity under section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. § 1843(k), as it existed on January 1, 2025.(B) “Financial product or service” includes a financial institution's evaluation or brokerage of information that a financial institution collects in connection with a request or an application from a consumer for a financial product or service.
(A) “Financial product or service” means a product or service that a financial holding company could offer by engaging in a financial activity under section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. § 1843(k), as it existed on January 1, 2025.
(B) “Financial product or service” includes a financial institution's evaluation or brokerage of information that a financial institution collects in connection with a request or an application from a consumer for a financial product or service.
(9) “Information security program” means the administrative, technical, or physical safeguards a financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.
(10) “Information system” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, including any specialized system such as an industrial controls system or process controls system, telephone switching and private branch exchange system, and environmental controls system, that contains customer information or that is connected to a system that contains customer information.
(11) “Multi-factor authentication” means authentication through verification of at least 2 of the following types of authentication factors:(A) knowledge factors, including without limitation a password;(B) possession factors, including without limitation a token; or(C) inherence factors, including without limitation biometric characteristics.
(A) knowledge factors, including without limitation a password;
(B) possession factors, including without limitation a token; or
(C) inherence factors, including without limitation biometric characteristics.
(12) (A) “Nonpublic personal information” means:(i) personally identifiable financial information; and(ii) a list, description, or other grouping of consumers, and publicly available information pertaining to a consumer, that is derived using personally identifiable financial information that is not publicly available.(B) “Nonpublic personal information” includes without limitation a list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available.(C) “Nonpublic personal information” does not include:(i) publicly available information except as included on a list described in subdivision (12)(A)(ii);(ii) a list, description, or other grouping of consumers, and publicly available information pertaining to the list, description, or other grouping of consumers, that is derived without using personally identifiable financial information that is not publicly available; or(iii) a list of individuals' names and addresses that contains only publicly available information and is not:(a) derived, in whole or in part, using personally identifiable financial information that is not publicly available; and(b) disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
(A) “Nonpublic personal information” means:(i) personally identifiable financial information; and(ii) a list, description, or other grouping of consumers, and publicly available information pertaining to a consumer, that is derived using personally identifiable financial information that is not publicly available.
(i) personally identifiable financial information; and
(ii) a list, description, or other grouping of consumers, and publicly available information pertaining to a consumer, that is derived using personally identifiable financial information that is not publicly available.
(B) “Nonpublic personal information” includes without limitation a list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available.
(C) “Nonpublic personal information” does not include:(i) publicly available information except as included on a list described in subdivision (12)(A)(ii);(ii) a list, description, or other grouping of consumers, and publicly available information pertaining to the list, description, or other grouping of consumers, that is derived without using personally identifiable financial information that is not publicly available; or(iii) a list of individuals' names and addresses that contains only publicly available information and is not:(a) derived, in whole or in part, using personally identifiable financial information that is not publicly available; and(b) disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
(i) publicly available information except as included on a list described in subdivision (12)(A)(ii);
(ii) a list, description, or other grouping of consumers, and publicly available information pertaining to the list, description, or other grouping of consumers, that is derived without using personally identifiable financial information that is not publicly available; or
(iii) a list of individuals' names and addresses that contains only publicly available information and is not:(a) derived, in whole or in part, using personally identifiable financial information that is not publicly available; and(b) disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
(a) derived, in whole or in part, using personally identifiable financial information that is not publicly available; and
(b) disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
(13) (A) “Notification event” means acquisition of unencrypted customer information without the authorization of an individual to which the information pertains.(B) For purposes of subdivision (13)(A):(i) customer information is considered unencrypted if the encryption key was accessed by an unauthorized person; and(ii) unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless a financial institution has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of the customer information.
(A) “Notification event” means acquisition of unencrypted customer information without the authorization of an individual to which the information pertains.
(B) For purposes of subdivision (13)(A):(i) customer information is considered unencrypted if the encryption key was accessed by an unauthorized person; and(ii) unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless a financial institution has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of the customer information.
(i) customer information is considered unencrypted if the encryption key was accessed by an unauthorized person; and
(ii) unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless a financial institution has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of the customer information.
(14) “Penetration testing” means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside a financial institution's information systems.
(15) (A) “Personally identifiable financial information” means information:(i) a consumer provides to a financial institution to obtain a financial product or service from a financial institution;(ii) about a consumer resulting from a transaction involving a financial product or service between a financial institution and a consumer; or(iii) a financial institution otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.(B) “Personally identifiable financial information” includes:(i) information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other financial product or service;(ii) account balance information, payment history, overdraft history, and credit or debit card purchase information;(iii) the fact that an individual is or has been a financial institution's customer or has obtained a financial product or service from a financial institution;(iv) information about a financial institution's consumer if the information is disclosed in a manner that indicates that the individual is or has been the financial institution's consumer;(v) information that a consumer provides to a financial institution or that a financial institution or a financial institution's agent otherwise obtains in connection with collecting on, or servicing, a credit account;(vi) information a financial institution collects through an internet cookie or the information collecting device from a computer server; and(vii) information from a consumer report.(C) “Personally identifiable financial information” does not include:(i) a list of names and addresses of customers of an entity that is not a financial institution; and(ii) information that does not identify a consumer, including aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.
(A) “Personally identifiable financial information” means information:(i) a consumer provides to a financial institution to obtain a financial product or service from a financial institution;(ii) about a consumer resulting from a transaction involving a financial product or service between a financial institution and a consumer; or(iii) a financial institution otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.
(i) a consumer provides to a financial institution to obtain a financial product or service from a financial institution;
(ii) about a consumer resulting from a transaction involving a financial product or service between a financial institution and a consumer; or
(iii) a financial institution otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.
(B) “Personally identifiable financial information” includes:(i) information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other financial product or service;(ii) account balance information, payment history, overdraft history, and credit or debit card purchase information;(iii) the fact that an individual is or has been a financial institution's customer or has obtained a financial product or service from a financial institution;(iv) information about a financial institution's consumer if the information is disclosed in a manner that indicates that the individual is or has been the financial institution's consumer;(v) information that a consumer provides to a financial institution or that a financial institution or a financial institution's agent otherwise obtains in connection with collecting on, or servicing, a credit account;(vi) information a financial institution collects through an internet cookie or the information collecting device from a computer server; and(vii) information from a consumer report.
(i) information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other financial product or service;
(ii) account balance information, payment history, overdraft history, and credit or debit card purchase information;
(iii) the fact that an individual is or has been a financial institution's customer or has obtained a financial product or service from a financial institution;
(iv) information about a financial institution's consumer if the information is disclosed in a manner that indicates that the individual is or has been the financial institution's consumer;
(v) information that a consumer provides to a financial institution or that a financial institution or a financial institution's agent otherwise obtains in connection with collecting on, or servicing, a credit account;
(vi) information a financial institution collects through an internet cookie or the information collecting device from a computer server; and
(vii) information from a consumer report.
(C) “Personally identifiable financial information” does not include:(i) a list of names and addresses of customers of an entity that is not a financial institution; and(ii) information that does not identify a consumer, including aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.
(i) a list of names and addresses of customers of an entity that is not a financial institution; and
(ii) information that does not identify a consumer, including aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.
(16) (A) “Publicly available information” means information that a financial institution has a reasonable basis to believe is lawfully made available to the public from:(i) federal, state, or local government records;(ii) widely distributed media; or(iii) disclosures to the public that are required to be made by federal, state, or local law.(B) “Publicly available information” includes without limitation:(i) information in government records, including information in government real estate records and security interest filings; and(ii) (a) information from widely distributed media, including information from a telephone book, a television or radio program, a newspaper, or a website that is available to the public on an unrestricted basis.(b) A website is not restricted under subdivision (16)(B)(ii)(a) merely because an internet service provider or a site operator requires a fee or a password, so long as access is available to the public.(C) For purposes of this subdivision (16), a financial institution has a reasonable basis to believe that:(i) information is lawfully made available to the public if the financial institution has taken steps to determine:(a) that the information is of the type that is available to the public; and(b) whether an individual can direct that the information not be made available to the public and, if so, that the financial institution's consumer has not directed that the information not be made available to the public;(ii) mortgage information is lawfully made available to the public if the financial institution determines that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded; and(iii) an individual's telephone number is lawfully made available to the public if the financial institution has located the telephone number in a telephone directory or the consumer has informed the financial institution that the telephone number is not unlisted.
(A) “Publicly available information” means information that a financial institution has a reasonable basis to believe is lawfully made available to the public from:(i) federal, state, or local government records;(ii) widely distributed media; or(iii) disclosures to the public that are required to be made by federal, state, or local law.
(i) federal, state, or local government records;
(ii) widely distributed media; or
(iii) disclosures to the public that are required to be made by federal, state, or local law.
(B) “Publicly available information” includes without limitation:(i) information in government records, including information in government real estate records and security interest filings; and(ii) (a) information from widely distributed media, including information from a telephone book, a television or radio program, a newspaper, or a website that is available to the public on an unrestricted basis.(b) A website is not restricted under subdivision (16)(B)(ii)(a) merely because an internet service provider or a site operator requires a fee or a password, so long as access is available to the public.
(i) information in government records, including information in government real estate records and security interest filings; and
(ii) (a) information from widely distributed media, including information from a telephone book, a television or radio program, a newspaper, or a website that is available to the public on an unrestricted basis.(b) A website is not restricted under subdivision (16)(B)(ii)(a) merely because an internet service provider or a site operator requires a fee or a password, so long as access is available to the public.
(a) information from widely distributed media, including information from a telephone book, a television or radio program, a newspaper, or a website that is available to the public on an unrestricted basis.
(b) A website is not restricted under subdivision (16)(B)(ii)(a) merely because an internet service provider or a site operator requires a fee or a password, so long as access is available to the public.
(C) For purposes of this subdivision (16), a financial institution has a reasonable basis to believe that:(i) information is lawfully made available to the public if the financial institution has taken steps to determine:(a) that the information is of the type that is available to the public; and(b) whether an individual can direct that the information not be made available to the public and, if so, that the financial institution's consumer has not directed that the information not be made available to the public;(ii) mortgage information is lawfully made available to the public if the financial institution determines that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded; and(iii) an individual's telephone number is lawfully made available to the public if the financial institution has located the telephone number in a telephone directory or the consumer has informed the financial institution that the telephone number is not unlisted.
(i) information is lawfully made available to the public if the financial institution has taken steps to determine:(a) that the information is of the type that is available to the public; and(b) whether an individual can direct that the information not be made available to the public and, if so, that the financial institution's consumer has not directed that the information not be made available to the public;
(a) that the information is of the type that is available to the public; and
(b) whether an individual can direct that the information not be made available to the public and, if so, that the financial institution's consumer has not directed that the information not be made available to the public;
(ii) mortgage information is lawfully made available to the public if the financial institution determines that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded; and
(iii) an individual's telephone number is lawfully made available to the public if the financial institution has located the telephone number in a telephone directory or the consumer has informed the financial institution that the telephone number is not unlisted.
(17) “Qualified individual” means an individual designated by a financial institution to oversee, implement, and enforce the financial institution's information security program.
(18) “Security event” means an event resulting in unauthorized access to, or disruption or misuse of:(A) an information system or information stored on the information system; or(B) customer information held in physical form.
(A) an information system or information stored on the information system; or
(B) customer information held in physical form.
(19) “Service provider” means a person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this article.