Title: An Act to amend and reenact subsection 4 of section 26.1-02.2-01, sections 26.1-02.2-05 and 26.1-02.2-07, and subsection 1 of section 26.1-02.2-08, and to repeal section 26.1-02.2-11 — Data security requirements for insurance producers
The bill updates North Dakota’s insurance data-security statutes to clarify the definition of a “cybersecurity event,” tighten and standardize notification obligations to the Insurance Commissioner, set procedural rules for events involving third‑party service providers and assuming insurers, and repeal a statutory provision that established implementation dates for certain data‑security requirements for insurance producers.
Definition: Revises subsection 4 of NDCC 26.1‑02.2‑01 to define “cybersecurity event” as unauthorized access to, disruption, or misuse of an information system or nonpublic information, and retains exclusions for acquisition of encrypted data (provided keys/means are not compromised) and events where accessed data was not used or was returned/destroyed.
Notification timing: Requires a licensee to notify the Insurance Commissioner “as promptly as possible, but no later than three business days (72 hours)” from the licensee’s determination that a covered cybersecurity event has occurred when:
- North Dakota is the licensee’s domicile/home state and the event triggers consumer notification under ND chapter 51‑30 or is reasonably likely to materially harm operations; or
- The event affects nonpublic information of 250 or more residents of North Dakota and either (a) would require notice to a government/regulatory body under other law, or (b) is reasonably likely to materially harm consumers or operations.
Required contents of notice: The electronic notice to the Commissioner must include: date of event; description of how data were exposed (including third‑party roles); discovery method; recovery status; source identity; law‑enforcement/regulatory notifications; specific data elements exposed (e.g., medical, financial); period of compromise; estimated number of affected state residents (with updates); results of internal review; remediation efforts; copy of privacy policy and consumer notification plan; and a named contact familiar with the event.
Third‑party service providers: If a licensee becomes aware of an event in a third‑party system, the licensee must treat it as reportable unless the third party provides the statutorily required notice to the Commissioner. The licensee’s reporting deadlines begin the day after the third party notifies the licensee or the licensee otherwise acquires actual knowledge (whichever is sooner). Contracts may allocate investigation/notification responsibilities.
Assuming insurers and ceding insurers: When an assuming insurer (which lacks direct consumer contracts) becomes aware of a covered event, it must notify affected ceding insurers and the insurer’s state‑of‑domicile Commissioner within three business days; the ceding insurers with direct relationships must perform consumer notification obligations under chapter 51‑30.
Repeal: Deletes NDCC section 26.1‑02.2‑11, which previously set implementation dates for certain data‑security requirements for insurance producers — effectively removing the special implementation timetable.