25.8122.01001
Title.02000
Adopted by the Industry and Business
Committee
Sixty-ninth
January 28, 2025
Legislative Assembly
of North Dakota
Introduced by
Industry and Business Committee
(At the request of the Insurance Commissioner)
A BILL for an Act to amend and reenact subsection 4 of section 26.1-02.2-01, sections
26.1-02.2-05 and 26.1-02.2-07, and subsection 1 of section 26.1-02.2-08 of the North Dakota
Century Code, relating to data security requirements for insurance producers; and to repeal
section 26.1-02.2-11 of the North Dakota Century Code, relating to implementation dates for
certain data security requirements for insurance producers.
BE IT ENACTED BY THE LEGISLATIVE ASSEMBLY OF NORTH DAKOTA:
SECTION 1. AMENDMENT. Subsection 4 of section 26.1-02.2-01 of the North Dakota
Century Code is amended and reenacted as follows:
4."Cybersecurity event" means an event resulting in unauthorized access to, disruption,
or misuse of, an information system or nonpublic information stored on the information
system. The term does not include:
a.Thethe unauthorized acquisition of encrypted nonpublic information if the
encryption, process, or key is not also acquired, released, or used without
authorization; or
b.An event the licensee has determined that the nonpublic information accessed by
an unauthorized person has not been used or released and has been returned or
destroyed.
SECTION 2. AMENDMENT. Section 26.1-02.2-05 of the North Dakota Century Code is
amended and reenacted as follows:
Page No. 1 25.8122.01001
SENATE BILL NO. 2088
PROPOSED AMENDMENTS TO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 Sixty-ninth
Legislative Assembly
26.1-02.2-05. Notification of a cybersecurity event.
1.A licensee shall notify the commissioner as promptly as possible, but no later than
three business daysseventy-two hours from a determination that a cybersecurity event
involving nonpublic information that is in the possession of a licensee has occurred if:
a.This state is the licensee's state of domicile, in the case of an insurer, or this state
is the licensee's home state, in the case of a producer as defined in chapter
26.1-26, and the cybersecurity event has a reasonable likelihood of materially
harming a consumer residing in this statetriggers notification to a consumer
residing in the state in accordance with chapter 51-30 or has a reasonable
likelihood of materially harming any material part of the normal operations of the
licensee; or
b.The licensee reasonably believes the nonpublic information involved is of
two hundred fifty or more consumers residing in this state and is:
(1)A cybersecurity event impacting the licensee for which notice is required to
be provided to any government body, self-regulatory agency, or any other
supervisory body pursuant to any state or federal law; or
(2)A cybersecurity event that has a reasonable likelihood of materially harming
any consumer residing in this state or materially harming any part of the
normal operations of the licensee.
2.The licensee shall provide the notice required under this section in electronic form as
directed by the commissioner. The licensee shall update and supplement the initial
and any subsequent notifications to the commissioner regarding material changes to
previously provided information relating to the cybersecurity event. The licensee's
notice required under this section must include:
a.The date of the cybersecurity event;
b.Description of how the information was exposed, lost, stolen, or breached,
including the specific roles and responsibilities of third-party service providers, if
any;
c.How the cybersecurity event was discovered;
d.Whether any lost, stolen, or breached information has been recovered and if so,
how;
Page No. 2 25.8122.01001
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
e.The identity of the source of the cybersecurity event;
f.Whether the licensee has filed a police report or has notified any regulatory,
government, or law enforcement agencies and, if so, when the notification was
provided;
g.Description of the specific types of information acquired without authorization.
Specific types of information means particular data elements, including medical
information, financial information, or any other information allowing identification
of the consumer;
h.The period during which the information system was compromised by the
cybersecurity event;
i.The total number of consumers in this state affected by the cybersecurity event.
The licensee shall provide the best estimate in the initial report to the
commissioner and update the estimate with a subsequent report to the
commissioner pursuant to this section;
j.The results of any internal review identifying a lapse in either automated controls
or internal procedures, or confirming that all automated controls or internal
procedures were followed;
k.Description of efforts being undertaken to remediate the situation that permitted
the cybersecurity event to occur;
l.A copy of the licensee's privacy policy and a statement outlining the steps the
licensee will take to investigate and notify consumers affected by the
cybersecurity event; and
m.Name of a contact person that is both familiar with the cybersecurity event and
authorized to act for the licensee.
3.The licensee shall comply with chapter 51-30, as applicable, and provide a copy of the
notice sent to consumers to the commissioner, when a licensee is required to notify
the commissioner under subsection 1.
4.In the case of a cybersecurity event in a system maintained by a third-party service
provider, of which the licensee has become aware, the licensee shall treat the event in
accordance with subsection 1 unless the third-party service provider provides the
notice required under chapter 26.1-02.2 to the commissioner.
Page No. 3 25.8122.01001
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
a.The computation of licensee's deadlines under this subsection begin on the day
after the third-party service provider notifies the licensee of the cybersecurity
event or the licensee otherwise has actual knowledge of the cybersecurity event,
whichever is sooner.
b.Nothing in this chapter prevents or abrogates an agreement between a licensee
and another licensee, a third-party service provider, or any other party to fulfill
any of the investigation requirements imposed under section 26.1-02.2-04 or
notice requirements imposed under subsection 1.
5.If a cybersecurity event involving nonpublic information that is used by a licensee that
is acting as an assuming insurer or in the possession, custody, or control of a licensee
that is acting as an assuming insurer and that does not have a direct contractual
relationship with the affected consumers, the assuming insurer shall notify the
insurer's affected ceding insurers and the commissioner of the insurer's state of
domicile within three business daysseventy - two hours of making the determination
that a cybersecurity event has occurred. The ceding insurer that has a direct
contractual relationship with affected consumers shall fulfill the consumer notification
requirements imposed under chapter 51-30 and any other notification requirements
relating to a cybersecurity event imposed under subsection 1.
6.If a cybersecurity event involving nonpublic information that is in the possession,
custody, or control of a third-party service provider of a licensee that is an assuming
insurer, the assuming insurer shall notify the insurer's affected ceding insurers and the
commissioner of the insurer's state of domicile within three business daysseventy-two
hours of receiving notice from its third-party service provider that a cybersecurity event
has occurred. The ceding insurers that have a direct contractual relationship with
affected consumers shall fulfill the consumer notification requirements imposed under
chapter 51-30 and any other notification requirements relating to a cybersecurity event
imposed under subsection 1.
7.Any licensee acting as assuming insurer does not have any other notice obligations
relating to a cybersecurity event or other data breach under this section or any other
law of this state.
Page No. 4 25.8122.01001
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30 Sixty-ninth
Legislative Assembly
8.If a cybersecurity event involving nonpublic information that is in the possession,
custody, or control of a licensee that is an insurer or the insurer's third-party service
provider for which a consumer accessed the insurer's services through an
independent insurance producer, and for which consumer notice is required by chapter
51-30, the insurer shall notify the producers of record of all affected consumers of the
cybersecurity event no later than the time at which notice is provided to the affected
consumers. The insurer is excused from the obligation imposed under this subsection
for any producers that are not authorized by law or contract to sell, solicit, or negotiate
on behalf of the insurer, and those instances in which the insurer does not have the
current producer of record information for an individual consumer.
SECTION 3. AMENDMENT. Section 26.1-02.2-07 of the North Dakota Century Code is
amended and reenacted as follows:
26.1-02.2-07. Confidentiality.
1.Any documents, materials, or other information in the control or possession of the
department which are furnished by a licensee, or an employee or agent thereof acting
on behalf of a licensee pursuant to this chapter, or that are obtained by the
commissioner in an investigation or examination pursuant to section 26.1-02.2-06 are
confidential, not subject to chapter 44-04, not subject to subpoena, and are not subject
to discovery or admissible in evidence in any private civil action. The commissioner
may use the documents, materials, or other information in the furtherance of any
regulatory or legal action brought as a part of the commissioner's duties. The
commissioner may not otherwise make the documents, materials, or other information
public without the prior written consent of the licensee.
2.The commissioner or any person that received documents, materials, or other
information while acting under the authority of the commissioner may not be permitted
or required to testify in any private civil action concerning any confidential documents,
materials, or information subject to subsection 1.
3.In order to assist in the performance of the commissioner's duties under this chapter,
the commissioner:
a.May share documents, materials, or other information, including the confidential
and privileged documents, materials, or information subject to subsection 1, with
Page No. 5 25.8122.01001
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 Sixty-ninth
Legislative Assembly
other state, federal, and international regulatory agencies, with the national
association of insurance commissioners, its affiliates or subsidiaries, and with
state, federal, and international law enforcement authorities, provided the
recipient agrees in writing to maintain the confidentiality and privileged status of
the document, material, or other information;
b.May receive documents, materials, or information, including otherwise
confidential and privileged documents, materials, or information, from the national
association of insurance commissioners, its affiliates or subsidiaries, and from
regulatory and law enforcement officials of other foreign or domestic jurisdictions,
and shall maintain as confidential or privileged any document, material, or
information received with notice or the understanding that it is confidential or
privileged under the laws of the jurisdiction that is the source of the document,
material, or information;
c.May share documents, materials, or other information subject to this section, with
a third-party consultant or vendor provided the consultant agrees in writing to
maintain the confidentiality and privileged status of the document, material, or
other information; and
d.May enter agreements governing sharing and use of information consistent with
this subsection.
4.A waiver of any applicable privilege or claim of confidentiality in the documents,
materials, or information does not occur as a result of disclosure to the commissioner
under this section or as a result of sharing as authorized in subsection 3.
5.Documents, materials, or other information in the possession or control of the national
association of insurance commissioners or a third-party consultant or vendor pursuant
to this chapter are confidential, not subject to chapter 44-04, not subject to subpoena,
and not subject to discovery or admissible in evidence in any private civil action.
SECTION 4. AMENDMENT. Subsection 1 of section 26.1-02.2-08 of the North Dakota
Century Code is amended and reenacted as follows:
1.The following exceptions apply to this chapter:
Page No. 6 25.8122.01001
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29 Sixty-ninth
Legislative Assembly
a.A licensee with less than five million dollars in gross revenue or less than
ten million dollars in year-end assets is exempt from subsections 2 through 10 of
section 26.1-02.2-03.
b.During the period beginning on August 1, 2021, and ending on July 31, 2023, a
licensee with fewer than fifty employees, including independent contractors and
employees of affiliated companies having access to nonpublic information used
by the licensee or in the licensee's possession, custody, or control, is exempt
from section 26.1-02.2-03.
c.After July 31, 2023, a licensee with fewer than twenty-five employees, including
independent contractors and employees of affiliated companies having access to
nonpublic information used by the licensee or in the licensee's possession,
custody, or control is exempt from section 26.1-02.2-03.
d.b.A licensee that is subject to and, governed by, and compliant with the privacy,
security, and breach notification rules issued by the United States department of
health and human services, title 45, Code of Federal Regulations, parts 160
and 164, established pursuant to the federal Health Insurance Portability and
Accountability Act of 1996 [Pub. L. 104-191], and the federal Health Information
Technology for Economic and Clinical Health Act [Pub. L. 111-5], and which
maintains nonpublic information concerning a consumer in the same manner as
protected health information is deemed to comply with the requirements of this
chapter except for the commissioner notification requirements under
subsections 1 and 2 of section 26.1-02.2-05section 26.1 - 02.2 - 03 .
e.c.An employee, agent, representative, or designee of a licensee, that also is a
licensee, is exempt from section 26.1-02.2-03 and is not required to develop an
information security program to the extent the employee, agent, representative,
or designee is covered by the information security program of the other licensee.
SECTION 5. REPEAL. Section 26.1-02.2-11 of the North Dakota Century Code is repealed.
Page No. 7 25.8122.01001
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27