Can I skip having an information security program in place in Minnesota? What are the requirements?

Information Security Program Requirements in Minnesota

In Minnesota, the law requires insurers, insurance agents, and other insurance-related entities licensed by the Department of Commerce to have an information security program in place ^[5]. The program should include the following three things:

1. To identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of nonpublic information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the information.
2. To design and implement information safeguards to control the risks identified through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
3. To oversee service providers, by requiring them by contract to implement appropriate safeguards to protect the information, and assessing the service providers’ safeguards’ effectiveness periodically ^[5].

Can I skip having an information security program in place in Minnesota?

No, you cannot skip having an information security program in place in Minnesota if you are an insurer, insurance agent, or other insurance-related entity licensed by the Department of Commerce. The law requires you to have an information security program in place ^[5].

Source(s):

• [5] Information Security Program / Minnesota Department of Commerce …

Jurisdiction

Minnesota

• Privacy