skip to content
Primary navigation
Feature image for Information Security Program

Information Security Program

Report a Cybersecurity Incident

Minnesota’s Information Security Program (Minn. Statutes 60A.9851), passed by the 2021 Minnesota Legislature, adopts a model insurance law proposed by the National Association of Insurance Commissioners. 

This law serves as a guide for Minnesota insurance businesses on how to prepare for, and react to, a data incident.

The law applies to insurers, insurance agents, and other insurance-related entities licensed by the Department of Commerce and asks them to do three things: 

  • To create a plan on how to deal with cybersecurity events. 
  • To work this plan and investigate cybersecurity events if they think one has occurred. 
  • To notify the Department of Commerce and to notify consumers when a cybersecurity event has occurred. 

Protecting the privacy of consumer data has been a priority for Commerce and the NAIC. Commerce continues to work with NAIC committees on additional policy ideas for consumer privacy protection. 

Information Security Program Certification reporting requirement

Aug. 1, 2022 - Minnesota's information security law went into effect 

April 15, 2023 - Non-exempted licensees required to report Information Security Program compliance to the Commissioner 

The Department will publish detailed guidance on the reporting procedure in the coming months. 

Commerce contact for Information Security Program reporting: 

Bubba Aguirre | 651-539-4039 

back to top