HF4348 Summary

• Establishes Minnesota Statutes chapter 46A establishing data security requirements for nonbank financial institutions including loan companies, mortgage servicers, money transmitters, and debt management providers.

• Requires financial institutions to develop and maintain comprehensive information security programs with administrative, technical, and physical safeguards appropriate to their size, complexity, and the sensitivity of customer information.

• Mandates specific security measures including encryption of customer information in transit and at rest, multifactor authentication for system access, annual penetration testing and vulnerability assessments, and secure disposal of customer information within two years of last use.

• Requires notification to the Commissioner of Commerce within 30 days of discovering a data breach affecting 500 or more consumers, with exceptions for law enforcement requests to delay public notification.

• Exempts credit unions, federally insured depository institutions, and financial institutions maintaining customer information on fewer than 5,000 consumers from certain requirements.