FAQ on Information Security
I am an independent agent and meet the exception requirements as outlined in Minn. Stat. § 60A.9856. Does that mean that I don’t have to have an information security program?
The law may exempt you from the mandate to implement an information security program and from having to investigate an event. However, it does not exempt you from the notification requirements in Minn. Stat. § 60A.9853. In general, if you experience an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system, you must notify the Commissioner of Commerce without unreasonable delay but no later than five business days from a determination that a cybersecurity event has occurred. See Minn. Stat. § 60A.9853
If you’re unsure whether you meet the exception requirements, we recommend seeking guidance from your attorney.
If I am exempted from having to have an information security program and I experience a cybersecurity event, will I be subject to a civil action by the Department of Commerce?
There is no exemption from the reporting and notification requirements in Minn. Stat. § 60A.9853. Whether you might be subject to a civil action related to a cybersecurity event would depend on your compliance with the reporting and notification requirements.
How do I report a cybersecurity event?
Cybersecurity events should be reported via the Report a Cybersecurity Incident
webpage. Additional information about reporting an event can be found there, as well.
What does the Department of Commerce recommend for licensees that are not required to have an information security program?
With the proliferation of cybercrime, phishing, ransomware, and increased work from home, we recommend everyone review the guidance provided in Minn. Stat. § 60A.9851
and implement measures that make sense for your organization based on your level of risk. Some government entities, such as the National Institute of Standards and Technology, the U.S. Small Business Administration, and the Federal Communications Commission, provide online resources and cybersecurity tips that you might find helpful in assessing what measures would be appropriate for your organization.
I’m just a small business. Do I really need to be mindful of cybersecurity?
The Cybersecurity and Infrastructure Security Administration of the Department of Homeland Security and other industry experts have highlighted the significant increase of cyber criminals targeting small to midsize businesses. Small agencies and independent agents are prime targets because they regularly access client personal information, may process client payments, and are less likely to have sophisticated cybersecurity measures in place.
Many small businesses do not have the technical capability to encrypt their laptops, smartphones, printers, and servers. Often, owners and employees of smaller companies use personal devices to conduct business. The convenience of everyday use often makes these devices more vulnerable to malware. The Department of Commerce suggests that licensees review the Cyber Guidance for Small and Midsize Businesses
provided by CISA, particularly the section on Tips to Improve Cyber Practices.