ND SB2088

Amends the definition of "cybersecurity event" to remove the exception for incidents where nonpublic information accessed by unauthorized persons was determined not to have been used, released, or was returned/destroyed

Modifies cybersecurity event notification triggers to require commissioner notification when events trigger consumer notification under chapter 51-30, rather than the previous standard of "reasonable likelihood of materially harming a consumer"

Removes the requirement that the commissioner obtain prior written consent from a licensee before making cybersecurity-related documents, materials, or information public

Eliminates employee-count-based exemptions from information security program requirements that previously exempted licensees with fewer than 50 employees (through July 2023) or fewer than 25 employees (after July 2023)

Repeals section 26.1-02.2-11 relating to implementation dates for data security requirements, and clarifies that HIPAA-compliant licensees are deemed compliant with information security program requirements under section 26.1-02.2-03