The bill amends several sections of the North Dakota Century Code to enhance data security requirements for insurance producers. Key changes include a revised definition of "cybersecurity event," which now excludes certain unauthorized acquisitions of encrypted nonpublic information. Additionally, the notification requirements for licensees in the event of a cybersecurity incident have been updated, specifying that notifications must be made to the commissioner within three business days if the event poses a reasonable likelihood of harming consumers or the licensee's operations. The bill also clarifies the obligations of licensees acting as assuming insurers regarding notifications to affected parties.

Furthermore, the bill introduces exemptions for certain licensees based on their revenue and employee count, while repealing a previous section related to implementation dates for data security requirements. It also enhances the confidentiality provisions surrounding documents and information shared with the commissioner, allowing for sharing with other regulatory and law enforcement agencies under strict confidentiality agreements. Overall, the bill aims to strengthen the framework for data security in the insurance sector while providing necessary exemptions and clarifications.

Statutes affected:
INTRODUCED: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11
Adopted by the Senate Industry and Business Committee: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11
FIRST ENGROSSMENT: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11
Enrollment: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11
PREFILED: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11