420-P:9 Exceptions. –
I. The following exceptions shall apply to this chapter:
(a) A licensee with fewer than 20 employees, including any independent contractors, shall be exempt from RSA 420-P:4.
(b) An employee, agent, representative, or designee of a licensee, who is also a licensee, shall be exempt from RSA 420-P:4 and need not develop its own program to the extent that the employee, agent, representative, or designee is covered by the information security program of the other licensee.
(c) A continuing care retirement community, as defined by RSA 420-D, shall be exempt from RSA 420-P:4.
(d) A life settlement provider, as defined by RSA 408-D, shall be exempt from RSA 420-P:4.
(e) A licensee that is a bank or a credit union, as defined in RSA 383-A:2-201, that has established and maintains programs and procedures regarding administrative, technical, and physical safeguards for customer information that are prescribed by section 501(b) of the Gramm-Leach-Bliley Act, 15 U.S.C. section 6801 et seq. and by section 216 of the Fair and Accurate Credit Transaction Act of 2003, and that is subject to examination by its federal regulatory authorities, shall be exempt from RSA 420-P:4, and those provisions of this chapter that apply to a bank or credit union apply only to the extent that it involves insurance. Notification to affected consumers for security breaches relating to insurance business shall be made consistent with the requirements of the Gramm-Leach-Bliley Act. Notification to the commissioner shall be made consistent with that received by federal regulatory authorities.
(f) A motor vehicle retail seller or a motor vehicle sales finance company, as defined in RSA 361-A, shall be exempt from RSA 420-P:4, and those provisions of this chapter that apply to a motor vehicle retail seller or a motor vehicle sales finance company apply only to the extent that it involves insurance. Notification to affected consumers for security breaches relating to the insurance business shall be made consistent with the requirements of the Gramm-Leach Bliley Act. Notification to the commissioner shall be made consistent with that received by federal regulatory authorities.
(g) A vendor, as defined under RSA 402-K:1, shall be exempt from this chapter.
II. A licensee which ceases to qualify for an exception under this section shall have 180 days to comply with RSA 420-P:4.