MN HF3842

Establishes a comprehensive Insurance Data Security Law requiring all Minnesota-regulated insurance licensees to develop, implement, and maintain written information security programs with administrative, technical, and physical safeguards for protecting nonpublic information.

Requires licensees to conduct risk assessments, designate security officers, implement specified security measures including encryption and multifactor authentication, and annually certify compliance to the commissioner by February 15.

Mandates licensees notify the commissioner of commerce or health within three business days of determining a cybersecurity event has occurred if it affects 250+ Minnesota consumers or could materially harm consumers or normal operations.

Requires prompt investigation of cybersecurity events, maintenance of incident response plans, and compliance with existing consumer notification requirements under Minnesota Statutes section 325E.61.

Exempts licensees with fewer than 25 employees, those compliant with HIPAA or federal banking safeguards, and certain affiliated entities; violations subject to penalties under section 60A.052; effective August 1, 2020 with one-year implementation period.