HF1913 Summary: Insurance Data Security Law

• Establishes comprehensive data security requirements for all insurance licensees in Minnesota, including insurers, producers, and other regulated entities operating under chapters 59A-62M and 62Q-79A.

• Requires licensees to develop and maintain written information security programs with administrative, technical, and physical safeguards appropriate to their size, complexity, and the sensitivity of nonpublic consumer information they handle.

• Mandates notification to the Department of Commerce or Health within 3 business days of determining a cybersecurity event has occurred if the event affects 250+ Minnesota consumers or materially harms state residents or licensee operations.

• Requires licensees to notify affected Minnesota consumers in the most expedient time possible of cybersecurity events involving unauthorized acquisition of their nonpublic information with reasonable likelihood of material harm, unless law enforcement requests delay.

• Repeals previous data security statutes (60A.98, 60A.981, 60A.982) and takes effect August 1, 2021, with licensees given 1-2 years to implement compliance depending on specific program requirements.