Senate Bill 2075 - Summary

• Creates Chapter 26.1-02.2 of the North Dakota Century Code establishing exclusive state standards for insurance licensees regarding data security, cybersecurity event investigation, and notification to the insurance commissioner.

• Requires each licensee to develop, implement, and maintain a comprehensive written information security program based on risk assessment, with implementation deadlines of August 1, 2022 for most requirements and August 1, 2023 for additional requirements.

• Mandates licensees notify the insurance commissioner no later than three business days after determining a cybersecurity event has occurred if the state is the licensee's domicile or if nonpublic information of 250+ North Dakota consumers is involved.

• Exempts licensees with less than $5 million in gross revenue or less than $10 million in year-end assets from security program requirements; includes phased implementation for smaller entities with fewer employees through July 31, 2023.

• Directs the legislative management to study during 2021-22 interim the feasibility of prohibiting insurers from restricting how insureds access electronic insurance policies, balancing cyber breach risks with competition concerns, and report findings to the 68th legislative assembly.