WeVote

Bill

Bill

SB 2088

AN ACT to amend and reenact subsection 4 of section 26.1-02.2-01, sections 26.1-02.2-05 and 26.1-02.2-07, and subsection 1 of section 26.1-02.2-08 of the North Dakota Century Code, relating to data security requirements for insurance producers; and to repeal section 26.1-02.2-11 of the North Dakota Century Code, relating to implementation dates for certain data security requirements for insurance producers.

69th Legislative Assembly (2025-26)

The bill standardizes a 3‑business‑day (72 hours) notice to the Insurance Commissioner for covered cybersecurity events and clarifies duties with third parties and assuming insurer

Filed with Secretary Of State 03/26
0
WeVote Research Nonpartisan
Bill Summary · SB 2088

Summary — SB 2088 (North Dakota)

Title: An Act to amend and reenact subsection 4 of section 26.1-02.2-01, sections 26.1-02.2-05 and 26.1-02.2-07, and subsection 1 of section 26.1-02.2-08, and to repeal section 26.1-02.2-11 — Data security requirements for insurance producers

Purpose / Intent

The bill updates North Dakota’s insurance data-security statutes to clarify the definition of a “cybersecurity event,” tighten and standardize notification obligations to the Insurance Commissioner, set procedural rules for events involving third‑party service providers and assuming insurers, and repeal a statutory provision that established implementation dates for certain data‑security requirements for insurance producers.

Key provisions and changes

  • Definition: Revises subsection 4 of NDCC 26.1‑02.2‑01 to define “cybersecurity event” as unauthorized access to, disruption, or misuse of an information system or nonpublic information, and retains exclusions for acquisition of encrypted data (provided keys/means are not compromised) and events where accessed data was not used or was returned/destroyed.

  • Notification timing: Requires a licensee to notify the Insurance Commissioner “as promptly as possible, but no later than three business days (72 hours)” from the licensee’s determination that a covered cybersecurity event has occurred when:

    • North Dakota is the licensee’s domicile/home state and the event triggers consumer notification under ND chapter 51‑30 or is reasonably likely to materially harm operations; or
    • The event affects nonpublic information of 250 or more residents of North Dakota and either (a) would require notice to a government/regulatory body under other law, or (b) is reasonably likely to materially harm consumers or operations.
  • Required contents of notice: The electronic notice to the Commissioner must include: date of event; description of how data were exposed (including third‑party roles); discovery method; recovery status; source identity; law‑enforcement/regulatory notifications; specific data elements exposed (e.g., medical, financial); period of compromise; estimated number of affected state residents (with updates); results of internal review; remediation efforts; copy of privacy policy and consumer notification plan; and a named contact familiar with the event.

  • Third‑party service providers: If a licensee becomes aware of an event in a third‑party system, the licensee must treat it as reportable unless the third party provides the statutorily required notice to the Commissioner. The licensee’s reporting deadlines begin the day after the third party notifies the licensee or the licensee otherwise acquires actual knowledge (whichever is sooner). Contracts may allocate investigation/notification responsibilities.

  • Assuming insurers and ceding insurers: When an assuming insurer (which lacks direct consumer contracts) becomes aware of a covered event, it must notify affected ceding insurers and the insurer’s state‑of‑domicile Commissioner within three business days; the ceding insurers with direct relationships must perform consumer notification obligations under chapter 51‑30.

  • Repeal: Deletes NDCC section 26.1‑02.2‑11, which previously set implementation dates for certain data‑security requirements for insurance producers — effectively removing the special implementation timetable.

Who is affected

  • Insurance licensees: insurers, insurance producers (agents/brokers), and assuming insurers licensed or domiciled in North Dakota.
  • Third‑party service providers that maintain systems or process nonpublic information on behalf of licensees.
  • Ceding insurers (when assuming insurers are involved).
  • North Dakota consumers whose nonpublic information is impacted by cybersecurity events.
  • Insurance Commissioner (receives and manages reporting and oversight).

Procedural / status notes

  • Introduced: March 7, 2025 (at the request of the Insurance Commissioner).
  • Committee action: Adopted by Industry and Business Committee (committee report dated Jan 28, 2025).
  • Filed with Secretary of State: March 26, 2025.
  • The bill amends multiple sections of NDCC chapter 26.1‑02.2 and repeals section 26.1‑02.2‑11.

Practical impact

  • Standardizes a relatively short notification deadline (three business days / 72 hours) for covered cybersecurity events, increases transparency about incident details provided to the Insurance Commissioner, clarifies responsibilities when third parties or assuming insurers are involved, and removes phased implementation timing for producers — likely accelerating compliance expectations for producers and other licensees.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.