Sixty-ninth Legislative Assembly of North Dakota
In Regular Session Commencing Tuesday, January 7, 2025
SENATE BILL NO. 2088
(Industry and Business Committee)
(At the request of the Insurance Commissioner)
AN ACT to amend and reenact subsection 4 of section 26.1-02.2-01, sections 26.1-02.2-05 and
26.1-02.2-07, and subsection 1 of section 26.1-02.2-08 of the North Dakota Century Code,
relating to data security requirements for insurance producers; and to repeal section
26.1-02.2-11 of the North Dakota Century Code, relating to implementation dates for certain
data security requirements for insurance producers.
BE IT ENACTED BY THE LEGISLATIVE ASSEMBLY OF NORTH DAKOTA:
SECTION 1. AMENDMENT. Subsection 4 of section 26.1-02.2-01 of the North Dakota Century
Code is amended and reenacted as follows:
4."Cybersecurity event" means an event resulting in unauthorized access to, disruption, or
misuse of, an information system or nonpublic information stored on the information system.
The term does not include:
a.Thethe unauthorized acquisition of encrypted nonpublic information if the encryption,
process, or key is not also acquired, released, or used without authorization; or
b.An event the licensee has determined that the nonpublic information accessed by an
unauthorized person has not been used or released and has been returned or destroyed.
SECTION 2. AMENDMENT. Section 26.1-02.2-05 of the North Dakota Century Code is amended
and reenacted as follows:
26.1-02.2-05. Notification of a cybersecurity event.
1.A licensee shall notify the commissioner as promptly as possible, but no later than three
business days from a determination that a cybersecurity event involving nonpublic information
that is in the possession of a licensee has occurred if:
a.This state is the licensee's state of domicile, in the case of an insurer, or this state is the
licensee's home state, in the case of a producer as defined in chapter 26.1-26, and the
cybersecurity event has a reasonable likelihood of materially harming a consumer
residing in this statetriggers notification to a consumer residing in the state in accordance
with chapter 51 - 30 or has a reasonable likelihood of materially harming any material part
of the normal operations of the licensee; or
b.The licensee reasonably believes the nonpublic information involved is of two hundred
fifty or more consumers residing in this state and is:
(1)A cybersecurity event impacting the licensee for which notice is required to be
provided to any government body, self-regulatory agency, or any other supervisory
body pursuant to any state or federal law; or
(2)A cybersecurity event that has a reasonable likelihood of materially harming any
consumer residing in this state or materially harming any part of the normal
operations of the licensee.
2.The licensee shall provide the notice required under this section in electronic form as directed
by the commissioner. The licensee shall update and supplement the initial and any S. B. NO. 2088 - PAGE 2
subsequent notifications to the commissioner regarding material changes to previously
provided information relating to the cybersecurity event. The licensee's notice required under
this section must include:
a.The date of the cybersecurity event;
b.Description of how the information was exposed, lost, stolen, or breached, including the
specific roles and responsibilities of third-party service providers, if any;
c.How the cybersecurity event was discovered;
d.Whether any lost, stolen, or breached information has been recovered and if so, how;
e.The identity of the source of the cybersecurity event;
f.Whether the licensee has filed a police report or has notified any regulatory, government,
or law enforcement agencies and, if so, when the notification was provided;
g.Description of the specific types of information acquired without authorization. Specific
types of information means particular data elements, including medical information,
financial information, or any other information allowing identification of the consumer;
h.The period during which the information system was compromised by the cybersecurity
event;
i.The total number of consumers in this state affected by the cybersecurity event. The
licensee shall provide the best estimate in the initial report to the commissioner and
update the estimate with a subsequent report to the commissioner pursuant to this
section;
j.The results of any internal review identifying a lapse in either automated controls or
internal procedures, or confirming that all automated controls or internal procedures were
followed;
k.Description of efforts being undertaken to remediate the situation that permitted the
cybersecurity event to occur;
l.A copy of the licensee's privacy policy and a statement outlining the steps the licensee
will take to investigate and notify consumers affected by the cybersecurity event; and
m.Name of a contact person that is both familiar with the cybersecurity event and
authorized to act for the licensee.
3.The licensee shall comply with chapter 51-30, as applicable, and provide a copy of the notice
sent to consumers to the commissioner, when a licensee is required to notify the
commissioner under subsection 1.
4.In the case of a cybersecurity event in a system maintained by a third-party service provider,
of which the licensee has become aware, the licensee shall treat the event in accordance with
subsection 1 unless the third-party service provider provides the notice required under chapter
26.1-02.2 to the commissioner.
a.The computation of licensee's deadlines under this subsection begin on the day after the
third-party service provider notifies the licensee of the cybersecurity event or the licensee
otherwise has actual knowledge of the cybersecurity event, whichever is sooner.
b.Nothing in this chapter prevents or abrogates an agreement between a licensee and
another licensee, a third-party service provider, or any other party to fulfill any of the S. B. NO. 2088 - PAGE 3
investigation requirements imposed under section 26.1-02.2-04 or notice requirements
imposed under subsection 1.
5.If a cybersecurity event involving nonpublic information that is used by a licensee that is acting
as an assuming insurer or in the possession, custody, or control of a licensee that is acting as
an assuming insurer and that does not have a direct contractual relationship with the affected
consumers, the assuming insurer shall notify the insurer's affected ceding insurers and the
commissioner of the insurer's state of domicile within three business days of making the
determination that a cybersecurity event has occurred. The ceding insurer that has a direct
contractual relationship with affected consumers shall fulfill the consumer notification
requirements imposed under chapter 51-30 and any other notification requirements relating to
a cybersecurity event imposed under subsection 1.
6.If a cybersecurity event involving nonpublic information that is in the possession, custody, or
control of a third-party service provider of a licensee that is an assuming insurer, the assuming
insurer shall notify the insurer's affected ceding insurers and the commissioner of the insurer's
state of domicile within three business days of receiving notice from its third-party service
provider that a cybersecurity event has occurred. The ceding insurers that have a direct
contractual relationship with affected consumers shall fulfill the consumer notification
requirements imposed under chapter 51-30 and any other notification requirements relating to
a cybersecurity event imposed under subsection 1.
7.Any licensee acting as assuming insurer does not have any other notice obligations relating to
a cybersecurity event or other data breach under this section or any other law of this state.
8.If a cybersecurity event involving nonpublic information that is in the possession, custody, or
control of a licensee that is an insurer or the insurer's third-party service provider for which a
consumer accessed the insurer's services through an independent insurance producer, and
for which consumer notice is required by chapter 51-30, the insurer shall notify the producers
of record of all affected consumers of the cybersecurity event no later than the time at which
notice is provided to the affected consumers. The insurer is excused from the obligation
imposed under this subsection for any producers that are not authorized by law or contract to
sell, solicit, or negotiate on behalf of the insurer, and those instances in which the insurer does
not have the current producer of record information for an individual consumer.
SECTION 3. AMENDMENT. Section 26.1-02.2-07 of the North Dakota Century Code is amended
and reenacted as follows:
26.1-02.2-07. Confidentiality.
1.Any documents, materials, or other information in the control or possession of the department
which are furnished by a licensee, or an employee or agent thereof acting on behalf of a
licensee pursuant to this chapter, or that are obtained by the commissioner in an investigation
or examination pursuant to section 26.1-02.2-06 are confidential, not subject to chapter 44-04,
not subject to subpoena, and are not subject to discovery or admissible in evidence in any
private civil action. The commissioner may use the documents, materials, or other information
in the furtherance of any regulatory or legal action brought as a part of the commissioner's
duties. The commissioner may not otherwise make the documents, materials, or other
information public without the prior written consent of the licensee.
2.The commissioner or any person that received documents, materials, or other information
while acting under the authority of the commissioner may not be permitted or required to
testify in any private civil action concerning any confidential documents, materials, or
information subject to subsection 1.
3.In order to assist in the performance of the commissioner's duties under this chapter, the
commissioner: S. B. NO. 2088 - PAGE 4
a.May share documents, materials, or other information, including the confidential and
privileged documents, materials, or information subject to subsection 1, with other state,
federal, and international regulatory agencies, with the national association of insurance
commissioners, its affiliates or subsidiaries, and with state, federal, and international law
enforcement authorities, provided the recipient agrees in writing to maintain the
confidentiality and privileged status of the document, material, or other information;
b.May receive documents, materials, or information, including otherwise confidential and
privileged documents, materials, or information, from the national association of
insurance commissioners, its affiliates or subsidiaries, and from regulatory and law
enforcement officials of other foreign or domestic jurisdictions, and shall maintain as
confidential or privileged any document, material, or information received with notice or
the understanding that it is confidential or privileged under the laws of the jurisdiction that
is the source of the document, material, or information;
c.May share documents, materials, or other information subject to this section, with a third-
party consultant or vendor provided the consultant agrees in writing to maintain the
confidentiality and privileged status of the document, material, or other information; and
d.May enter agreements governing sharing and use of information consistent with this
subsection.
4.A waiver of any applicable privilege or claim of confidentiality in the documents, materials, or
information does not occur as a result of disclosure to the commissioner under this section or
as a result of sharing as authorized in subsection 3.
5.Documents, materials, or other information in the possession or control of the national
association of insurance commissioners or a third-party consultant or vendor pursuant to this
chapter are confidential, not subject to chapter 44-04, not subject to subpoena, and not
subject to discovery or admissible in evidence in any private civil action.
SECTION 4. AMENDMENT. Subsection 1 of section 26.1-02.2-08 of the North Dakota Century
Code is amended and reenacted as follows:
1.The following exceptions apply to this chapter:
a.A licensee with less than five million dollars in gross revenue or less than ten million
dollars in year-end assets is exempt from subsections 2 through 10 of section
26.1-02.2-03.
b.During the period beginning on August 1, 2021, and ending on July 31, 2023, a licensee
with fewer than fifty employees, including independent contractors and employees of
affiliated companies having access to nonpublic information used by the licensee or in
the licensee's possession, custody, or control, is exempt from section 26.1-02.2-03.
c.After July 31, 2023, a licensee with fewer than twenty-five employees, including
independent contractors and employees of affiliated companies having access to
nonpublic information used by the licensee or in the licensee's possession, custody, or
control is exempt from section 26.1-02.2-03.
d.b.A licensee that is subject to and, governed by, and compliant with the privacy, security,
and breach notification rules issued by the United States department of health and
human services, title 45, Code of Federal Regulations, parts 160 and 164, established
pursuant to the federal Health Insurance Portability and Accountability Act of 1996 [Pub.
L. 104-191], and the federal Health Information Technology for Economic and Clinical
Health Act [Pub. L. 111-5], and which maintains nonpublic information concerning a
consumer in the same manner as protected health information is deemed to comply with S. B. NO. 2088 - PAGE 5
the requirements of this chapter except for the commissioner notification requirements
under subsections 1 and 2 of section 26.1-02.2-05section 26.1 - 02.2 - 03 .
e.c.An employee, agent, representative, or designee of a licensee, that also is a licensee, is
exempt from section 26.1-02.2-03 and is not required to develop an information security
program to the extent the employee, agent, representative, or designee is covered by the
information security program of the other licensee.
SECTION 5. REPEAL. Section 26.1-02.2-11 of the North Dakota Century Code is repealed. S. B. NO. 2088 - PAGE 6
____________________________ ____________________________
President of the Senate Speaker of the House
____________________________ ____________________________
Secretary of the Senate Chief Clerk of the House
This certifies that the within bill originated in the Senate of the Sixty-ninth Legislative Assembly of North
Dakota and is known on the records of that body as Senate Bill No. 2088.
Senate Vote:Yeas 43 Nays 1 Absent 3
House Vote: Yeas 93 Nays 0 Absent 1
____________________________
Secretary of the Senate
Received by the Governor at ________M. on _____________________________________, 2025.
Approved at ________M. on __________________________________________________, 2025.
____________________________
Governor
Filed in this office this ___________day of _______________________________________, 2025,
at ________ o’clock ________M.
____________________________
Secretary of State