skip to content
Primary navigation
Feature image for Nonbank Information Security Program and Incident Notification

Nonbank Information Security Program and Incident Notification

Nonbank Data Security Law [pdf]

Report a cybersecurity incident


Minnesota’s Nonbank Data Security Law (Minnesota Statutes Chapter 46A), passed by the 2024 Minnesota Legislature, adopts a model law proposed by the Conference of State Bank Supervisors (CSBS).  The law tracks the updated federal Safeguards Rule.

This law includes requirements for Minnesota-licensed nonbank financial institutions to report a notification event to the commissioner.

The law applies to mortgage, money services and consumer finance entities licensed by the Department of Commerce and asks them to do three things: 

  • To develop and have an information security program.
  • To have an incident response plan to handle any security events (for those institutions with over 5,000 consumers).
  • To notify the Department of Commerce within 45 days when a cybersecurity event that affects more than 500 consumers has occurred. 

Protecting the privacy of consumer data has been a priority for the Commerce Department and the CSBS. Commerce continues to work with CSBS committees on additional policy ideas for consumer privacy protection. 

Commerce Department contact for Nonbank Financial Institutions Information Security Program reporting: 

Senior Examiner, Nicholas Jenson
nicholas.jenson@state.mn.us | 651-539-1712

back to top