Insurance Data Security Law Summary

• Establishes comprehensive data security standards for Minnesota insurance licensees, requiring development and maintenance of written information security programs commensurate with organizational size, complexity, and data sensitivity.

• Mandates risk assessments, security measures including encryption, multifactor authentication, access controls, and incident response plans; requires board of directors oversight and annual compliance certification to the commissioner by February 15.

• Requires licensees to notify the Commissioner of Commerce within 72 hours of determining a cybersecurity event has occurred affecting 250+ Minnesota consumers or involving the licensee's domiciliary state, and to provide detailed investigation information.

• Exempts licensees with fewer than 10 employees, entities already compliant with federal Health Insurance Portability and Accountability Act (HIPAA) requirements, and employees covered under another licensee's security program; violators subject to penalties under Minnesota Statutes section 60A.052.

• Classifies documents and information submitted to the commissioner as confidential, protected from subpoena and civil discovery; allows the commissioner to share with regulatory agencies, law enforcement, and consultants under confidentiality agreements.