new text begin Subdivision 1. new text end

new text begin Generally. new text end

new text begin The purpose and intent of sections 60A.985 to 60A.9861 is
to establish standards for data security and standards for the investigation of and notification
to the commissioner of a cybersecurity event applicable to licensees, as defined in section
60A.9852, subdivision 5.
new text end

new text begin Subd. 2. new text end

new text begin Construction. new text end

new text begin Sections 60A.985 to 60A.9861 may not be construed to create
or imply a private cause of action for violation of its provisions nor may it be construed to
curtail a private cause of action which would otherwise exist in the absence of sections
60A.985 to 60A.9861.
new text end

new text begin Subdivision 1. new text end

new text begin Terms. new text end

new text begin As used in this act, the following terms have the meanings given.
new text end

new text begin Subd. 2. new text end

new text begin Authorized individual. new text end

new text begin "Authorized individual" means an individual known
to and screened by the licensee and determined to be necessary and appropriate to have
access to the nonpublic information held by the licensee and its information systems.
new text end

new text begin Subd. 3. new text end

new text begin Commissioner. new text end

new text begin "Commissioner" means the commissioner of commerce.
new text end

new text begin Subd. 4. new text end

new text begin Consumer. new text end

new text begin "Consumer" means an individual, including but not limited to an
applicant, policyholder, insured, beneficiary, claimant, and certificate holder who is a resident
of this state and whose nonpublic information is in a licensee's possession, custody, or
control.
new text end

new text begin Subd. 5. new text end

new text begin Cybersecurity event. new text end

new text begin "Cybersecurity event" means an event resulting in
unauthorized access to, or disruption or misuse of, an information system or information
stored on an information system.
new text end

new text begin Cybersecurity event does not include the unauthorized acquisition of encrypted nonpublic
information if the encryption, process, or key is not also acquired, released, or used without
authorization.
new text end

new text begin Cybersecurity event does not include an event with regard to which the licensee has
determined that the nonpublic information accessed by an unauthorized person has not been
used or released and has been returned or destroyed.
new text end

new text begin Subd. 6. new text end

new text begin Department. new text end

new text begin "Department" means the Department of Commerce.
new text end

new text begin Subd. 7. new text end

new text begin Encrypted. new text end

new text begin "Encrypted" means the transformation of data into a form which
results in a low probability of assigning meaning without the use of a protective process or
key.
new text end

new text begin Subd. 8. new text end

new text begin Information security program. new text end

new text begin "Information security program" means the
administrative, technical, and physical safeguards that a licensee uses to access, collect,
distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic
information.
new text end

new text begin Subd. 9. new text end

new text begin Information system. new text end

new text begin "Information system" means a discrete set of electronic
information resources organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of electronic information, as well as any specialized system
such as industrial or process controls systems, telephone switching and private branch
exchange systems, and environmental control systems.
new text end

new text begin Subd. 10. new text end

new text begin Licensee. new text end

new text begin "Licensee" means any person licensed, authorized to operate, or
registered, or required to be licensed, authorized, or registered by the Department of
Commerce or the Department of Health but shall not include a purchasing group or a risk
retention group chartered and licensed in a state other than this state or a licensee that is
acting as an assuming insurer that is domiciled in another state or jurisdiction.
new text end

new text begin Subd. 11. new text end

new text begin Multifactor authentication. new text end

new text begin "Multifactor authentication" means authentication
through verification of at least two of the following types of authentication factors:
new text end

new text begin (1) knowledge factors, such as a password;
new text end

new text begin (2) possession factors, such as a token or text message on a mobile phone; or
new text end

new text begin (3) inherence factors, such as a biometric characteristic.
new text end

new text begin Subd. 12. new text end

new text begin Nonpublic information. new text end

new text begin "Nonpublic information" means information that is
not publicly available information and is:
new text end

new text begin (1) business-related information of a licensee the tampering with which, or unauthorized
disclosure, access, or use of which, would cause a material adverse impact to the business,
operations, or security of the licensee;
new text end

new text begin (2) any information concerning a consumer which because of name, number, personal
mark, or other identifier can be used to identify such consumer, in combination with any
one or more of the following data elements:
new text end

new text begin (i) Social Security number;
new text end

new text begin (ii) driver's license number or nondriver identification card number;
new text end

new text begin (iii) account number, credit card number, or debit card number;
new text end

new text begin (iv) any security code, access code, or password that would permit access to a consumer's
financial account; or
new text end

new text begin (v) biometric records; or
new text end

new text begin (3) any information or data, except age or gender, in any form or medium created by or
derived from a health care provider or a consumer and that relates to:
new text end

new text begin (i) the past, present, or future physical, mental, or behavioral health or condition of any
consumer or a member of the consumer's family;
new text end

new text begin (ii) the provision of health care to any consumer; or
new text end

new text begin (iii) payment for the provision of health care to any consumer.
new text end

new text begin Subd. 13. new text end

new text begin Person. new text end

new text begin "Person" means any individual or any nongovernmental entity,
including but not limited to any nongovernmental partnership, corporation, branch, agency,
or association.
new text end

new text begin Subd. 14. new text end

new text begin Publicly available information. new text end

new text begin "Publicly available information" means any
information that a licensee has a reasonable basis to believe is lawfully made available to
the general public from: federal, state, or local government records; widely distributed
media; or disclosures to the general public that are required to be made by federal, state, or
local law.
new text end

new text begin For the purposes of this definition, a licensee has a reasonable basis to believe that
information is lawfully made available to the general public if the licensee has taken steps
to determine:
new text end

new text begin (1) that the information is of the type that is available to the general public; and
new text end

new text begin (2) whether a consumer can direct that the information not be made available to the
general public and, if so, that such consumer has not done so.
new text end

new text begin Subd. 15. new text end

new text begin Risk assessment. new text end

new text begin "Risk assessment" means the risk assessment that each
licensee is required to conduct under section 60A.9853, subdivision 3.
new text end

new text begin Subd. 16. new text end

new text begin State. new text end

new text begin "State" means the state of Minnesota.
new text end

new text begin Subd. 17. new text end

new text begin Third-party service provider. new text end

new text begin "Third-party service provider" means a person,
not otherwise defined as a licensee, that contracts with a licensee to maintain, process, store,
or otherwise is permitted access to nonpublic information through its provision of services
to the licensee.
new text end

new text begin Subdivision 1. new text end

new text begin Implementation of an information security program. new text end

new text begin Commensurate
with the size and complexity of the licensee, the nature and scope of the licensee's activities,
including its use of third-party service providers, and the sensitivity of the nonpublic
information used by the licensee or in the licensee's possession, custody, or control, each
licensee shall develop, implement, and maintain a comprehensive written information
security program based on the licensee's risk assessment and that contains administrative,
technical, and physical safeguards for the protection of nonpublic information and the
licensee's information system.
new text end

new text begin Subd. 2. new text end

new text begin Objectives of an information security program. new text end

new text begin A licensee's information
security program shall be designed to:
new text end

new text begin (1) protect the security and confidentiality of nonpublic information and the security of
the information system;
new text end

new text begin (2) protect against any threats or hazards to the security or integrity of nonpublic
information and the information system;
new text end

new text begin (3) protect against unauthorized access to or use of nonpublic information, and minimize
the likelihood of harm to any consumer; and
new text end

new text begin (4) define and periodically reevaluate a schedule for retention of nonpublic information
and a mechanism for its destruction when no longer needed.
new text end

new text begin Subd. 3. new text end

new text begin Risk assessment. new text end

new text begin The licensee shall:
new text end

new text begin (1) designate one or more employees, an affiliate, or an outside vendor designated to
act on behalf of the licensee who is responsible for the information security program;
new text end

new text begin (2) identify reasonably foreseeable internal or external threats that could result in
unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic
information, including the security of information systems and nonpublic information that
are accessible to, or held by, third-party service providers;
new text end

new text begin (3) assess the likelihood and potential damage of these threats, taking into consideration
the sensitivity of the nonpublic information;
new text end

new text begin (4) assess the sufficiency of policies, procedures, information systems, and other
safeguards in place to manage these threats, including consideration of threats in each
relevant area of the licensee's operations, including:
new text end

new text begin (i) employee training and management;
new text end

new text begin (ii) information systems, including network and software design, as well as information
classification, governance, processing, storage, transmission, and disposal; and
new text end

new text begin (iii) detecting, preventing, and responding to attacks, intrusions, or other systems failures;
and
new text end

new text begin (5) implement information safeguards to manage the threats identified in its ongoing
assessment, and no less than annually, assess the effectiveness of the safeguards' key controls,
systems, and procedures.
new text end

new text begin Subd. 4. new text end

new text begin Risk management. new text end

new text begin Based on its risk assessment, the licensee shall:
new text end

new text begin (1) design its information security program to mitigate the identified risks, commensurate
with the size and complexity of the licensee's activities, including its use of third-party
service providers, and the sensitivity of the nonpublic information used by the licensee or
in the licensee's possession, custody, or control;
new text end

new text begin (2) determine which security measures listed below are appropriate and implement such
security measures:
new text end

new text begin (i) place access controls on information systems, including controls to authenticate and
permit access only to authorized individuals to protect against the unauthorized acquisition
of nonpublic information;
new text end

new text begin (ii) identify and manage the data, personnel, devices, systems, and facilities that enable
the organization to achieve business purposes in accordance with their relative importance
to business objectives and the organization's risk strategy;
new text end

new text begin (iii) restrict access at physical locations containing nonpublic information, only to
authorized individuals;
new text end

new text begin (iv) protect by encryption or other appropriate means all nonpublic information while
being transmitted over an external network and all nonpublic information stored on a laptop
computer or other portable computing or storage device or media;
new text end

new text begin (v) adopt secure development practices for in-house developed applications utilized by
the licensee and procedures for evaluating, assessing, or testing the security of externally
developed applications utilized by the licensee;
new text end

new text begin (vi) modify the information system in accordance with the licensee's information security
program;
new text end

new text begin (vii) utilize effective controls, which may include multifactor authentication procedures
for any authorized individual accessing nonpublic information;
new text end

new text begin (viii) regularly test and monitor systems and procedures to detect actual and attempted
attacks on, or intrusions into, information systems;
new text end

new text begin (ix) include audit trails within the information security program designed to detect and
respond to cybersecurity events and designed to reconstruct material financial transactions
sufficient to support normal operations and obligations of the licensee;
new text end

new text begin (x) implement measures to protect against destruction, loss, or damage of nonpublic
information due to environmental hazards, such as fire and water damage or other
catastrophes or technological failures; and
new text end

new text begin (xi) develop, implement, and maintain procedures for the secure disposal of nonpublic
information in any format;
new text end

new text begin (3) include cybersecurity risks in the licensee's enterprise risk management process;
new text end

new text begin (4) stay informed regarding emerging threats or vulnerabilities and utilize reasonable
security measures when sharing information relative to the character of the sharing and the
type of information shared; and
new text end

new text begin (5) provide its personnel with cybersecurity awareness training that is updated as
necessary to reflect risks identified by the licensee in the risk assessment.
new text end

new text begin Subd. 5. new text end

new text begin Oversight by board of directors. new text end

new text begin If the licensee has a board of directors, the
board or an appropriate committee of the board shall, at a minimum:
new text end

new text begin (1) require the licensee's executive management or its delegates to develop, implement,
and maintain the licensee's information security program;
new text end

new text begin (2) require the licensee's executive management or its delegates to report in writing, at
least annually, the following information:
new text end

new text begin (i) the overall status of the information security program and the licensee's compliance
with this act; and
new text end

new text begin (ii) material matters related to the information security program, addressing issues such
as risk assessment, risk management and control decisions, third-party service provider
arrangements, results of testing, cybersecurity events or violations and management's
responses thereto, and recommendations for changes in the information security program;
and
new text end

new text begin (3) if executive management delegates any of its responsibilities under this section, it
shall oversee the development, implementation, and maintenance of the licensee's information
security program prepared by the delegate and shall receive a report from the delegate
complying with the requirements of the report to the board of directors.
new text end

new text begin Subd. 6. new text end

new text begin Oversight of third-party service provider arrangements. new text end

new text begin (a) A licensee shall
exercise due diligence in selecting its third-party service provider.
new text end

new text begin (b) A licensee shall require a third-party service provider to implement appropriate
administrative, technical, and physical measures to protect and secure the information
systems and nonpublic information that are accessible to, or held by, the third-party service
provider.
new text end

new text begin Subd. 7. new text end

new text begin Program adjustments. new text end

new text begin The licensee shall monitor, evaluate, and adjust, as
appropriate, the information security program consistent with any relevant changes in
technology, the sensitivity of its nonpublic information, internal or external threats to
information, and the licensee's own changing business arrangements, such as mergers and
acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to
information systems.
new text end

new text begin Subd. 8. new text end

new text begin Incident response plan. new text end

new text begin (a) As part of its information security program, each
licensee shall establish a written incident response plan designed to promptly respond to,
and recover from, any cybersecurity event that compromises the confidentiality, integrity,
or availability of nonpublic information in its possession, the licensee's information systems,
or the continuing functionality of any aspect of the licensee's business or operations.
new text end

new text begin (b) Such incident response plan shall address the following areas:
new text end

new text begin (1) the internal process for responding to a cybersecurity event;
new text end

new text begin (2) the goals of the incident response plan;
new text end

new text begin (3) the definition of clear roles, responsibilities, and levels of decision-making authority;
new text end

new text begin (4) external and internal communications and information sharing;
new text end

new text begin (5) identification of requirements for the remediation of any identified weaknesses in
information systems and associated controls;
new text end

new text begin (6) documentation and reporting regarding cybersecurity events and related incident
response activities; and
new text end

new text begin (7) the evaluation and revision, as necessary, of the incident response plan following a
cybersecurity event.
new text end

new text begin Subd. 9. new text end

new text begin Annual certification to commissioner of domiciliary state. new text end

new text begin Annually, each
insurer domiciled in this state shall submit to the commissioner a written statement by
February 15 certifying that the insurer is in compliance with the requirements set forth in
this section. Each insurer shall maintain for examination by the department all records,
schedules, and data supporting this certificate for a period of five years. To the extent an
insurer has identified areas, systems, or processes that require material improvement,
updating, or redesign, the insurer shall document the identification and the remedial efforts
planned and underway to address such areas, systems, or processes. Such documentation
must be available for inspection by the commissioner.
new text end

new text begin Subdivision 1. new text end

new text begin Prompt investigation. new text end

new text begin If the licensee learns that a cybersecurity event
has or may have occurred, the licensee, or an outside vendor or service provider designated
to act on behalf of the licensee, shall conduct a prompt investigation.
new text end

new text begin Subd. 2. new text end

new text begin Investigation contents. new text end

new text begin During the investigation, the licensee, or an outside
vendor or service provider designated to act on behalf of the licensee, shall, at a minimum,
determine as much of the following information as possible:
new text end

new text begin (1) determine whether a cybersecurity event has occurred;
new text end

new text begin (2) assess the nature and scope of the cybersecurity event;
new text end

new text begin (3) identify any nonpublic information that may have been involved in the cybersecurity
event; and
new text end

new text begin (4) perform or oversee reasonable measures to restore the security of the information
systems compromised in the cybersecurity event in order to prevent further unauthorized
acquisition, release, or use of nonpublic information in the licensee's possession, custody,
or control.
new text end

new text begin Subd. 3. new text end

new text begin Third-party systems. new text end

new text begin If the licensee learns that a cybersecurity event has or
may have occurred in a system maintained by a third-party service provider, the licensee
will complete the steps listed in subdivision 2 or confirm and document that the third-party
service provider has completed those steps.
new text end

new text begin Subd. 4. new text end

new text begin Records. new text end

new text begin The licensee shall maintain records concerning all cybersecurity
events for a period of at least five years from the date of the cybersecurity event and shall
produce those records upon demand of the commissioner.
new text end

new text begin Subdivision 1. new text end

new text begin Notification to the commissioner. new text end

new text begin Each licensee shall notify the
commissioner as promptly as possible but in no event later than 72 hours from a
determination that a cybersecurity event has occurred when either of the following criteria
has been met:
new text end

new text begin (1) this state is the licensee's state of domicile, in the case of an insurer, or this state is
the licensee's home state, in the case of a producer, as those terms are defined in chapter
60K; or
new text end

new text begin (2) the licensee reasonably believes that the nonpublic information involved is of 250
or more consumers residing in this state and that is either of the following:
new text end

new text begin (i) a cybersecurity event impacting the licensee of which notice is required to be provided
to any government body, self-regulatory agency, or any other supervisory body pursuant
to any state or federal law; or
new text end

new text begin (ii) a cybersecurity event that has a reasonable likelihood of materially harming:
new text end

new text begin (A) any consumer residing in this state; or
new text end

new text begin (B) any material part of the normal operations of the licensee.
new text end

new text begin Subd. 2. new text end

new text begin Information; notification. new text end

new text begin The licensee shall provide as much of the following
information as possible. The licensee shall provide the information in electronic form as
directed by the commissioner. The licensee shall have a continuing obligation to update
and supplement initial and subsequent notifications to the commissioner concerning the
cybersecurity event.
new text end

new text begin (1) Date of the cybersecurity event;
new text end

new text begin (2) Description of how the information was exposed, lost, stolen, or breached, including
the specific roles and responsibilities of third-party service providers, if any;
new text end

new text begin (3) How the cybersecurity event was discovered;
new text end

new text begin (4) Whether any lost, stolen, or breached information has been recovered and, if so, how
this was done;
new text end

new text begin (5) The identity of the source of the cybersecurity event;
new text end

new text begin (6) Whether the licensee has filed a police report or has notified any regulatory,
government, or law enforcement agencies and, if so, when such notification was provided;
new text end

new text begin (7) Description of the specific types of information acquired without authorization.
Specific types of information means particular data elements including, for example, types
of medical information, types of financial information, or types of information allowing
identification of the consumer;
new text end

new text begin (8) The period during which the information system was compromised by the
cybersecurity event;
new text end

new text begin (9) The number of total consumers in this state affected by the cybersecurity event. The
licensee shall provide the best estimate in the initial report to the commissioner and update
this estimate with each subsequent report to the commissioner pursuant to this section;
new text end

new text begin (10) The results of any internal review identifying a lapse in either automated controls
or internal procedures, or confirming that all automated controls or internal procedures were
followed;
new text end

new text begin (11) Description of efforts being undertaken to remediate the situation which permitted
the cybersecurity event to occur;
new text end

new text begin (12) A copy of the licensee's privacy policy and a statement outlining the steps the
licensee will take to investigate and notify consumers affected by the cybersecurity event;
and
new text end

new text begin (13) Name of a contact person who is familiar with the cybersecurity event and authorized
to act for the licensee.
new text end

new text begin Subd. 3. new text end

new text begin Notification to consumers. new text end

new text begin The licensee shall comply with section 325E.61,
as applicable, and provide a copy of the notice sent to consumers under that statute to the
commissioner when a licensee is required to notify the commissioner under subdivision 1.
new text end

new text begin Subd. 4. new text end

new text begin Notice regarding cybersecurity events of third-party service providers. new text end

new text begin (a)
In the case of a cybersecurity event in a system maintained by a third-party service provider,
of which the licensee has become aware, the licensee shall treat such event as it would under
subdivision 1.
new text end

new text begin (b) The computation of a licensee's deadlines shall begin on the day after the third-party
service provider notifies the licensee of the cybersecurity event or the licensee otherwise
has actual knowledge of the cybersecurity event, whichever is sooner.
new text end

new text begin (c) Nothing in this act shall prevent or abrogate an agreement between a licensee and
another licensee, a third-party service provider, or any other party to fulfill any of the
investigation requirements imposed under section 60A.9854 or notice requirements imposed
under this section.
new text end

new text begin Subd. 5. new text end

new text begin Notice regarding cybersecurity events of reinsurers to insurers. new text end

new text begin (a) In the
case of a cybersecurity event involving nonpublic information that is used by the licensee
that is acting as an assuming insurer or in the possession, custody, or control of a licensee
that is acting as an assuming insurer and that does not have a direct contractual relationship
with the affected consumers, the assuming insurer shall notify its affected ceding insurers
and the commissioner of its state of domicile within 72 hours of making the determination
that a cybersecurity event has occurred.
new text end

new text begin (b) The ceding insurers that have a direct contractual relationship with affected consumers
shall fulfill the consumer notification requirements imposed under section 325E.61 and any
other notification requirements relating to a cybersecurity event imposed under this section.
new text end

new text begin (c) In the case of a cybersecurity event involving nonpublic information that is in the
possession, custody, or control of a third-party service provider of a licensee that is an
assuming insurer, the assuming insurer shall notify its affected ceding insurers and the
commissioner of its state of domicile within 72 hours of receiving notice from its third-party
service provider that a cybersecurity event has occurred.
new text end

new text begin (d) The ceding insurers that have a direct contractual relationship with affected consumers
shall fulfill the consumer notification requirements imposed under section 325E.61 and any
other notification requirements relating to a cybersecurity event imposed under this section.
new text end

new text begin Subd. 6. new text end

new text begin Notice regarding cybersecurity events of insurers to producers of record. new text end

new text begin (a)
In the case of a cybersecurity event involving nonpublic information that is in the possession,
custody, or control of a licensee that is an insurer or its third-party service provider and for
which a consumer accessed the insurer's services through an independent insurance producer,
the insurer shall notify the producers of record of all affected consumers as soon as
practicable as directed by the commissioner.
new text end

new text begin (b) The insurer is excused from this obligation for those instances in which it does not
have the current producer of record information for any individual consumer.
new text end

new text begin Subdivision 1. new text end

new text begin Licensee information. new text end

new text begin Any documents, materials, or other information
in the control or possession of the department that are furnished by a licensee or an employee
or agent thereof acting on behalf of a licensee pursuant to section 60A.9853, subdivision
9; section 60A.9855, subdivision 2, clauses (2), (3), (4), (5), (8), (10), and (11); or that are
obtained by the commissioner in an investigation or examination pursuant to section
60A.9856 shall be classified as confidential, protected nonpublic, or both; shall not be
subject to subpoena; and shall not be subject to discovery or admissible in evidence in any
private civil action. However, the commissioner is authorized to use the documents, materials,
or other information in the furtherance of any regulatory or legal action brought as a part
of the commissioner's duties.
new text end

new text begin Subd. 2. new text end

new text begin Certain testimony prohibited. new text end

new text begin Neither the commissioner nor any person who
received documents, materials, or other information while acting under the authority of the
commissioner shall be permitted or required to testify in any private civil action concerning
any confidential documents, materials, or information subject to subdivision 1.
new text end

new text begin Subd. 3. new text end

new text begin Information sharing. new text end

new text begin In order to assist in the performance of the commissioner's
duties under this act, the commissioner:
new text end

new text begin (1) may share documents, materials, or other information, including the confidential and
privileged documents, materials, or information subject to subdivision 1, with other state,
federal, and international regulatory agencies, with the National Association of Insurance
Commissioners, its affiliates or subsidiaries, and with state, federal, and international law
enforcement authorities, provided that the recipient agrees in writing to maintain the
confidentiality and privileged status of the document, material, or other information;
new text end

new text begin (2) may receive documents, materials, or information, including otherwise confidential
and privileged documents, materials, or information, from the National Association of
Insurance Commissioners, its affiliates or subsidiaries, and from regulatory and law
enforcement officials of other foreign or domestic jurisdictions, and shall maintain as
confidential or privileged any document, material, or information received with notice or
the understanding that it is confidential or privileged under the laws of the jurisdiction that
is the source of the document, material, or information;
new text end

new text begin (3) may share documents, materials, or other information subject to subdivision 1, with
a third-party consultant or vendor provided the consultant agrees in writing to maintain the
confidentiality and privileged status of the document, material, or other information; and
new text end

new text begin (4) may enter into agreements governing sharing and use of information consistent with
this subdivision.
new text end

new text begin Subd. 4. new text end

new text begin No waiver of privilege or confidentiality. new text end

new text begin No waiver of any applicable privilege
or claim of confidentiality in the documents, materials, or information shall occur as a result
of disclosure to the commissioner under this section or as a result of sharing as authorized
in subdivision 3.
new text end

new text begin Subd. 5. new text end

new text begin Certain actions public. new text end

new text begin Nothing in sections 60A.985 to 60A.9861 shall prohibit
the commissioner from releasing final, adjudicated actions that are open to public inspection
pursuant to chapter 13 to a database or other clearinghouse service maintained by the National
Association of Insurance Commissioners, its affiliates, or subsidiaries.
new text end

new text begin Subdivision 1. new text end

new text begin Generally. new text end

new text begin The following exceptions shall apply to sections 60A.985 to
60A.9861:
new text end

new text begin (1) a licensee with fewer than ten employees, including any independent contractors, is
exempt from section 60A.9853;
new text end

new text begin (2) a licensee subject to Public Law 104-191, enacted August 21, 1996 (Health Insurance
Portability and Accountability Act), that has established and maintains an information
security program pursuant to such statutes, rules, regulations, procedures, or guidelines
established thereunder, will be considered to meet the requirements of section 60A.9853,
provided that the licensee is compliant with, and submits a written statement certifying its
compliance with, the same; and
new text end

new text begin (3) an employee, agent, representative, or designee of a licensee, who is also a licensee,
is exempt from section 60A.9853 and need not develop its own information security program
to the extent that the employee, agent, representative, or designee is covered by the
information security program of the other licensee.
new text end

new text begin Subd. 2. new text end

new text begin Exemption lapse; compliance. new text end

new text begin In the event that a licensee ceases to qualify
for an exception, such licensee shall have 180 days to comply with this act.
new text end