The bill amends several sections of the North Dakota Century Code to enhance data security requirements for insurance producers. Key changes include a revised definition of "cybersecurity event," which now excludes unauthorized acquisition of encrypted nonpublic information if the encryption process or key is not also compromised. Additionally, the notification requirements for licensees in the event of a cybersecurity incident have been updated, specifying that they must notify the commissioner within three business days if the event poses a reasonable likelihood of harming consumers or the licensee's operations. The bill also clarifies the obligations of licensees acting as assuming insurers regarding notification to affected parties.

Furthermore, the bill introduces exemptions for certain licensees based on their revenue and employee count, while repealing a previous section related to implementation dates for data security requirements. It also enhances the confidentiality provisions surrounding documents and information shared with the commissioner, allowing for sharing with other regulatory and law enforcement agencies under strict confidentiality agreements. Overall, the bill aims to strengthen the framework for cybersecurity and data protection within the insurance industry in North Dakota.

Statutes affected:
PREFILED: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11
Adopted by the Senate Industry and Business Committee: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11
FIRST ENGROSSMENT: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11
Enrollment: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11
INTRODUCED: 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11