Minnesota’s Information Security Program (Minn. Statutes 60A.9851), passed by the 2021 Minnesota Legislature, adopts a model insurance law proposed by the National Association of Insurance Commissioners.
This law serves as a guide for Minnesota insurance businesses on how to prepare for, and react to, a data incident.
The law applies to insurers, insurance agents, and other insurance-related entities licensed by the Department of Commerce and asks them to do three things:
- To create a plan on how to deal with cybersecurity events.
- To work this plan and investigate cybersecurity events if they think one has occurred.
- To notify the Department of Commerce and to notify consumers when a cybersecurity event has occurred.
Protecting the privacy of consumer data has been a priority for Commerce and the NAIC. Commerce continues to work with NAIC committees on additional policy ideas for consumer privacy protection.
Information Security Program Certification reporting requirement
Aug. 1, 2022 - Minnesota's information security law went into effect
April 15, 2023 - Non-exempted licensees required to report Information Security Program compliance to the Commissioner
The Department will publish detailed guidance on the reporting procedure in the coming months.
Commerce contact for Information Security Program reporting:
Bubba Aguirre robert.aguirre@state.mn.us | 651-539-4039