ND HB1127

Creates a new comprehensive data security program requirement (Chapter 13-01.2) for financial corporations regulated by the Department of Financial Institutions, mandating written information security programs, risk assessments, encryption of customer data, multifactor authentication, annual penetration testing, and incident response plans

Requires financial corporations to notify the commissioner within 45 days of discovering a data breach affecting 500 or more consumers, with specific reporting requirements including breach description, affected consumer count, and date range

Expands authority for the Department of Financial Institutions and commissioner to issue permanent suspension orders against officers, directors, or employees convicted of crimes involving dishonesty or breach of trust in state or federal court

Standardizes response deadlines across multiple licensing chapters (money brokers, collection agencies, money transmitters, deferred presentment services, mortgage servicers), allowing the department to deny applications when requested information is not provided within specified timeframes

Exempts entities solely performing interim mortgage servicing from licensing requirements and exempts financial institutions with fewer than 5,000 consumer records from certain detailed security program documentation requirements