The bill amends several sections of the North Dakota Century Code to enhance data security requirements for insurance producers. Key changes include a revised definition of "cybersecurity event," which now excludes unauthorized acquisition of encrypted nonpublic information if the encryption key is not also compromised. Additionally, the notification requirements for licensees in the event of a cybersecurity incident have been updated, specifying that they must notify the commissioner within three business days if the event poses a reasonable likelihood of harming consumers or the licensee's operations. The bill also clarifies the information that must be included in the notification, such as the date of the event, the nature of the breach, and the number of affected consumers.

Furthermore, the bill repeals a previous section regarding implementation dates for certain data security requirements and introduces exemptions for smaller licensees based on revenue and employee count. Notably, licensees compliant with federal health privacy regulations are deemed to meet the chapter's requirements, except for specific commissioner notification obligations. The amendments aim to strengthen the overall cybersecurity framework for insurance producers while providing necessary exemptions for smaller entities.

Statutes affected:
PREFILED: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11
Adopted by the Senate Industry and Business Committee: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11
FIRST ENGROSSMENT: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11
Enrollment: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11
INTRODUCED: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11