| (a) A web services insurer must design, develop, maintain, and submit specifications for a web services program application capable of verifying the status of a policyholder's insurance information. The program must enable the insurer to receive and respond to the vendor's insurance verification inquiries during the event based process and to process batch inquiries of multiple vehicles during the ongoing verification process. (b) The web services program transmission format and protocols must be compliant with XML standards as published by the World Wide Web Consortium (W3C). (c) The insurer's web services program must incorporate basic web service infrastructure standards; select a common XML standard to align with the other web services infrastructure standards; and set forth procedures for agreement between insurers and the vendor to use one set of web services security standards, adhere to SOAP 1.1 standards, and use one set of authentication standards. (d) The web services insurer must develop and implement an algorithm that matches policy and policyholder data to information provided by the vendor in the query process. The algorithm may also use cascading data matching that may not result in a 100 percent match of all fields, but a match may be made with a reasonable degree of accuracy. The algorithm must match information using: (1) the VIN, if available, and one additional field; or (2) at least two data fields provided by the vendor. (e) Data fields provided by the vendor shall include: (1) VIN; (2) registered owner's and/or listed driver's license number; (3) vehicle make, model, and year; (4) registered owner's and/or listed driver's name; (5) registered owner's and/or listed driver's address; (6) registered owner's and/or listed driver's date of birth; and (7) specific policy coverage date, as applicable. (f) For information found to be in error, each web services insurer continuing in the web services program must, as necessary, contact its policyholders to confirm or correct information using the data clean-up procedures outlined in §5.606 of this subchapter (relating to Requirements for Insurers Using the Web Services Program). (g) Each web services insurer must provide a disaster recovery plan that meets the following requirements: (1) recovery time objective within two hours during the critical time period that is defined as seven days per week, 24 hours per day per program; a single data center solution is acceptable; (2) recovery point objective consisting of the last data load; (3) a hot site or cold site capable of meeting the recovery time objective; and (4) back-up data consisting of weekly backup following the data load. (h) Each web services insurer must provide up-time and availability of 99.8 percent for the event based process. This requirement excludes scheduled and planned outages for upgrades or maintenance; outages requested by the department; and outages resulting from the failure of any systems or components that are not owned, controlled, or contracted by the vendor or web services insurer, unless the cause of the failure can be shown to have been a result of the web services insurer's negligence or malfeasance. (i) Each web services insurer must comply with all procedures relating to data confidentiality and security standards, including: (1) signing any documents necessary to enable the vendor to comply with the disclosure restrictions and privacy protections required by: (A) the department; (B) TxDOT; (C) DPS; (D) the Texas Department of Information Resources; and/or (E) the Texas Law Enforcement Telecommunications System; (2) adhering to the confidentiality provisions of Transportation Code, Chapter 601, Subchapter N, including compliance with unique identifiers and passwords for user access to the program and entering into legal trading partner agreements with the vendor to exchange data via the web services program; (3) adhering to the provisions of Texas Administrative Code Title 1, Part 10, Chapter 202 (relating to Information Security Standards); and (4) adhering to any other procedures set forth to ensure that the program is protected against unauthorized access, disclosure, modification or destruction, whether accidental or deliberate, as well as to assure the availability, integrity, utility, authenticity, and confidentiality of information. |
