Ask Reggi Your Question Now
Can you summarize SB2075?
Senate Bills > Relating to third-party software access to insurance policy information. for an Act to provide for a legislative management study of third-party access to insurance information.
Short Summary
This legislative document, Senate Bill No. 2075, creates and enacts chapter 26.1-02.2 of the North Dakota Century Code, which governs insurance data and security. The chapter defines various terms related to insurance data and security, including ‘authorized individual,’ ‘consumer,’ ‘cybersecurity event,’ ‘information security program,’ ‘information system,’ ’licensee,’ ‘multi-factor authentication,’ ’nonpublic information,’ ‘person,’ ‘publicly available information,’ ‘risk assessment,’ and ’third-party service provider.’ The chapter establishes exclusive state standards applicable to licensees for data security, investigation of cybersecurity events, and notification to the commissioner. It requires licensees to develop, implement, and maintain a comprehensive written information security program based on their risk assessment. The program must protect nonpublic information, prevent unauthorized access, and define retention and disposal mechanisms. Licensees must designate individuals responsible for the program, assess threats, and implement safeguards. The chapter also addresses incident response plans, investigation of cybersecurity events, and notification requirements. The commissioner has the power to examine and investigate licensees, enforce the provisions of the chapter, and maintain confidentiality of documents and information. The chapter provides exceptions for certain licensees based on revenue, number of employees, compliance with federal privacy rules, and relationships with other licensees. Penalties for non-compliance are in accordance with section 26.1-01-03.3.
Whom does it apply to?
Licensees, including individuals and entities authorized to operate or registered under the insurance laws of North Dakota
What does it govern?
Access to insurance policy information by third-party software
What are exemptions?
Licensees with less than $5 million in gross revenue or less than $10 million in year-end assets are exempt from certain sections. Licensees with fewer than 50 employees are exempt from certain sections until July 31, 2023, and licensees with fewer than 25 employees are exempt from certain sections after July 31, 2023. Licensees subject to federal privacy, security, and breach notification rules for protected health information are deemed to comply with the requirements of this chapter, except for commissioner notification requirements. Employees, agents, representatives, or designees of a licensee that is also a licensee are exempt from developing an information security program if covered by the other licensee's program.
What are the Penalties?
Penalties for violation of this chapter are in accordance with section 26.1-01-03.3.
Jurisdiction
North Dakota