During the 67th Legislative Assembly, the North Dakota Legislature passed Senate Bill 2075 relating to insurance data and security. The purpose of this bulletin is to educate and inform licensees regarding the requirements for establishing an information security program and for reporting cybersecurity events to the North Dakota Insurance Department as required by Senate Bill 2075. In addition to meeting the legal requirements resulting from Senate Bill 2075, the North Dakota Insurance Department wishes to highlight the importance of cybersecurity in an industry that possesses large amounts of personal data that may cause consumers material harm in the event that this data is compromised.
Additionally, the rise in ransomware attacks in numerous industries has illustrated the business impact that the absence of, or insufficient, information security plan can have.
Licensees of the North Dakota Insurance Department are subject to the requirements of Senate Bill 2075. This law defines a "licensee" as anyone required to be licensed by the North Dakota Insurance Department, which includes: companies, agencies, third party administrator (TPAs), Managing General Agents (MGAs), and any person or organization required to be licensed.
Senate Bill 2075 enacts a new chapter, North Dakota Century Code (NDCC) chapter 26.1-02.2, which requires an insurance licensee to:
- Develop, implement, and maintain an information security program,
- Investigate possible cybersecurity events, and
- Send notice to affected insurance consumers and the North Dakota Insurance Commissioner when a qualifying cybersecurity event occurs.
The following guidance is intended to assist a North Dakota licensee to meet the requirements of NDCC 26.1-02.2.
NDCC 26.1-02.2 goes into effect August 1, 2021; however, some of the requirements established by this law have a delayed effective date of either August 1, 2022, or August 1, 2023.
Development and Implementation
Beginning August 1, 2022, NDCC 26.1-02.2 requires the licensee to do a self-assessment of their business operations to determine a suitable information security program that must be developed, implemented, and maintained by a licensee.
No matter the size of the licensee, NDCC 26.1-02.2 requires a licensee to implement certain safeguards, such as:
- Designate one or more employees responsible for the information security program.
- Identify reasonably foreseeable threats that could result in cybersecurity event.
- Assess the likelihood and potential damage of any threats.
- Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage any threats.
- Implement an information security program to manage the threats identified.
Depending on the size and complexity of the licensee's business operations, NDCC 26.1-02.2 may require additional cybersecurity measures. NDCC 26.1-02.2 does not attempt to set specific-measures a licensee must achieve or-have in place. The responsibility is on the licensee to develop and an information security program suitable to the particular operations of the licensee. A licensee shall also monitor, evaluate, and adjust the information security program consistent with any relevant changes in technology.
Beginning August 1, 2023, a licensee shall exercise due diligence when using and selecting a third-party service provider. The third-party service provider must also implement or have in place an information security program that meets the requirements of NDCC 26.1-02.2.
A licensee with less than $5 million of gross revenue; less than $10 million in assets; less than 25 employees; or an employee, agent, representative, or designee of a licensee, who is also licensee, is exempt from implementing, developing, and maintaining an information security program, but they are not exempt from the investigation and notification requirements.
A licensee with less than 50 employees is not required to implement, develop, and maintain an information security program until July 31, 2023. After July 31, 2023 a licensee with less than 25 employees is not required to implement, develop, and maintain an information security program; however due to the serious nature of cyber threats these licensees are encouraged to voluntarily establish an information security program.
Investigation
Beginning August 1, 2021, NDCC 26.1-02.2 requires a licensee to conduct an investigation when a qualifying cybersecurity event occurs.
Prompt investigation must occur when a licensee learns of a cybersecurity event. A licensee may use an outside vendor or service provider At a minimum, the investigation must include:
- A determination on whether a cybersecurity event has occurred.
- The nature and scope of the cybersecurity event.
- Identification of any nonpublic information that may have been involved in the cybersecurity event.
- Oversight of reasonable measures to restore the security of the information systems compromised in the cybersecurity event.
The licensee shall maintain records concerning all cybersecurity events for a period of at least five years.
Notification
Beginning August 1, 2021, when a cybersecurity event occurs, a licensee is required to report this event within 3 business days to the North Dakota Insurance Commissioner's office. Licensees can submit a report by clicking here. A licensee must report if:
- North Dakota is the licensee's state of domicile, and it is reasonably likely any consumer could be materially harmed, or the licensee's operations are materially harmed.
- The licensee reasonably believes the nonpublic information involved is of two hundred fifty or more consumers and:
- A cybersecurity event impacts the licensee for which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law.
- A cybersecurity event has a reasonable likelihood of materially harming any consumer residing in North Dakota.
The notice to the North Dakota Insurance Commissioner's office must include:
- The date of the cybersecurity event.
- A description of how the information was exposed, lost, stolen, or breached.
- How the cybersecurity event was discovered.
- Whether any lost, stolen, or breached information has been recovered.
- The identity of the source of the cybersecurity event.
- Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies.
- A description of the specific types of information acquired without authorization.
- The period during which the information system was compromised by the cybersecurity event.
- The total number of consumers in this state affected by the cybersecurity event.
- The results of any internal review identifying a lapse in either automated controls or internal procedures.
- A Description of efforts being undertaken to remediate the situation.
- A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers.
- The name of a contact person that is both familiar with the cybersecurity event and authorized to act for the licensee.
NDCC 26.1-02.2 incorporates the existing consumer reporting requirements of NDCC 51-30. The notice requirements of NDCC 51-30 can be found at: https://www.legis.nd.gov/cencode/t51c30.pdf
If a licensee is required to send a consumer notice as required by NDCC 51-30, then the licensee is also required to notify the North Dakota Insurance Commissioner's office under NDCC 26.1-02.2, and a copy of the consumer notice must be included with the notice to the North Dakota Insurance Commissioner's office.
Exception
NDCC 26.1-02.2 includes a broad exception for licensees that are required to comply with the Health Insurance Portability and Accountability Act, however the exception does not include the notification requirements to the North Dakota Insurance Commissioner's office described in NDCC 26.1-02.2-05.
If you have questions, please contact us.