as introduced - 91st Legislature (2019 - 2020) Posted on 03/11/2020 04:25pm
A bill for an act
relating to insurance; establishing an Insurance Data Security Law; proposing
coding for new law in Minnesota Statutes, chapter 60A.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
new text begin
This section to section 60A.9861 may be cited as the "Insurance Data Security Law."
new text end
new text begin
The purpose and intent of sections 60A.985 to 60A.9861 is
to establish standards for data security and standards for the investigation of and notification
to the commissioner of a cybersecurity event applicable to licensees, as defined in section
60A.9852, subdivision 5.
new text end
new text begin
Sections 60A.985 to 60A.9861 may not be construed to create
or imply a private cause of action for violation of its provisions nor may it be construed to
curtail a private cause of action which would otherwise exist in the absence of sections
60A.985 to 60A.9861.
new text end
new text begin
As used in this act, the following terms have the meanings given.
new text end
new text begin
"Authorized individual" means an individual known
to and screened by the licensee and determined to be necessary and appropriate to have
access to the nonpublic information held by the licensee and its information systems.
new text end
new text begin
"Commissioner" means the commissioner of commerce.
new text end
new text begin
"Consumer" means an individual, including but not limited to an
applicant, policyholder, insured, beneficiary, claimant, and certificate holder who is a resident
of this state and whose nonpublic information is in a licensee's possession, custody, or
control.
new text end
new text begin
"Cybersecurity event" means an event resulting in
unauthorized access to, or disruption or misuse of, an information system or information
stored on an information system.
new text end
new text begin
Cybersecurity event does not include the unauthorized acquisition of encrypted nonpublic
information if the encryption, process, or key is not also acquired, released, or used without
authorization.
new text end
new text begin
Cybersecurity event does not include an event with regard to which the licensee has
determined that the nonpublic information accessed by an unauthorized person has not been
used or released and has been returned or destroyed.
new text end
new text begin
"Department" means the Department of Commerce.
new text end
new text begin
"Encrypted" means the transformation of data into a form which
results in a low probability of assigning meaning without the use of a protective process or
key.
new text end
new text begin
"Information security program" means the
administrative, technical, and physical safeguards that a licensee uses to access, collect,
distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic
information.
new text end
new text begin
"Information system" means a discrete set of electronic
information resources organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of electronic information, as well as any specialized system
such as industrial or process controls systems, telephone switching and private branch
exchange systems, and environmental control systems.
new text end
new text begin
"Licensee" means any person licensed, authorized to operate, or
registered, or required to be licensed, authorized, or registered by the Department of
Commerce or the Department of Health but shall not include a purchasing group or a risk
retention group chartered and licensed in a state other than this state or a licensee that is
acting as an assuming insurer that is domiciled in another state or jurisdiction.
new text end
new text begin
"Multifactor authentication" means authentication
through verification of at least two of the following types of authentication factors:
new text end
new text begin
(1) knowledge factors, such as a password;
new text end
new text begin
(2) possession factors, such as a token or text message on a mobile phone; or
new text end
new text begin
(3) inherence factors, such as a biometric characteristic.
new text end
new text begin
"Nonpublic information" means information that is
not publicly available information and is:
new text end
new text begin
(1) business-related information of a licensee the tampering with which, or unauthorized
disclosure, access, or use of which, would cause a material adverse impact to the business,
operations, or security of the licensee;
new text end
new text begin
(2) any information concerning a consumer which because of name, number, personal
mark, or other identifier can be used to identify such consumer, in combination with any
one or more of the following data elements:
new text end
new text begin
(i) Social Security number;
new text end
new text begin
(ii) driver's license number or nondriver identification card number;
new text end
new text begin
(iii) account number, credit card number, or debit card number;
new text end
new text begin
(iv) any security code, access code, or password that would permit access to a consumer's
financial account; or
new text end
new text begin
(v) biometric records; or
new text end
new text begin
(3) any information or data, except age or gender, in any form or medium created by or
derived from a health care provider or a consumer and that relates to:
new text end
new text begin
(i) the past, present, or future physical, mental, or behavioral health or condition of any
consumer or a member of the consumer's family;
new text end
new text begin
(ii) the provision of health care to any consumer; or
new text end
new text begin
(iii) payment for the provision of health care to any consumer.
new text end
new text begin
"Person" means any individual or any nongovernmental entity,
including but not limited to any nongovernmental partnership, corporation, branch, agency,
or association.
new text end
new text begin
"Publicly available information" means any
information that a licensee has a reasonable basis to believe is lawfully made available to
the general public from: federal, state, or local government records; widely distributed
media; or disclosures to the general public that are required to be made by federal, state, or
local law.
new text end
new text begin
For the purposes of this definition, a licensee has a reasonable basis to believe that
information is lawfully made available to the general public if the licensee has taken steps
to determine:
new text end
new text begin
(1) that the information is of the type that is available to the general public; and
new text end
new text begin
(2) whether a consumer can direct that the information not be made available to the
general public and, if so, that such consumer has not done so.
new text end
new text begin
"Risk assessment" means the risk assessment that each
licensee is required to conduct under section 60A.9853, subdivision 3.
new text end
new text begin
"State" means the state of Minnesota.
new text end
new text begin
"Third-party service provider" means a person,
not otherwise defined as a licensee, that contracts with a licensee to maintain, process, store,
or otherwise is permitted access to nonpublic information through its provision of services
to the licensee.
new text end
new text begin
Commensurate
with the size and complexity of the licensee, the nature and scope of the licensee's activities,
including its use of third-party service providers, and the sensitivity of the nonpublic
information used by the licensee or in the licensee's possession, custody, or control, each
licensee shall develop, implement, and maintain a comprehensive written information
security program based on the licensee's risk assessment and that contains administrative,
technical, and physical safeguards for the protection of nonpublic information and the
licensee's information system.
new text end
new text begin
A licensee's information
security program shall be designed to:
new text end
new text begin
(1) protect the security and confidentiality of nonpublic information and the security of
the information system;
new text end
new text begin
(2) protect against any threats or hazards to the security or integrity of nonpublic
information and the information system;
new text end
new text begin
(3) protect against unauthorized access to or use of nonpublic information, and minimize
the likelihood of harm to any consumer; and
new text end
new text begin
(4) define and periodically reevaluate a schedule for retention of nonpublic information
and a mechanism for its destruction when no longer needed.
new text end
new text begin
The licensee shall:
new text end
new text begin
(1) designate one or more employees, an affiliate, or an outside vendor designated to
act on behalf of the licensee who is responsible for the information security program;
new text end
new text begin
(2) identify reasonably foreseeable internal or external threats that could result in
unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic
information, including the security of information systems and nonpublic information that
are accessible to, or held by, third-party service providers;
new text end
new text begin
(3) assess the likelihood and potential damage of these threats, taking into consideration
the sensitivity of the nonpublic information;
new text end
new text begin
(4) assess the sufficiency of policies, procedures, information systems, and other
safeguards in place to manage these threats, including consideration of threats in each
relevant area of the licensee's operations, including:
new text end
new text begin
(i) employee training and management;
new text end
new text begin
(ii) information systems, including network and software design, as well as information
classification, governance, processing, storage, transmission, and disposal; and
new text end
new text begin
(iii) detecting, preventing, and responding to attacks, intrusions, or other systems failures;
and
new text end
new text begin
(5) implement information safeguards to manage the threats identified in its ongoing
assessment, and no less than annually, assess the effectiveness of the safeguards' key controls,
systems, and procedures.
new text end
new text begin
Based on its risk assessment, the licensee shall:
new text end
new text begin
(1) design its information security program to mitigate the identified risks, commensurate
with the size and complexity of the licensee's activities, including its use of third-party
service providers, and the sensitivity of the nonpublic information used by the licensee or
in the licensee's possession, custody, or control;
new text end
new text begin
(2) determine which security measures listed below are appropriate and implement such
security measures:
new text end
new text begin
(i) place access controls on information systems, including controls to authenticate and
permit access only to authorized individuals to protect against the unauthorized acquisition
of nonpublic information;
new text end
new text begin
(ii) identify and manage the data, personnel, devices, systems, and facilities that enable
the organization to achieve business purposes in accordance with their relative importance
to business objectives and the organization's risk strategy;
new text end
new text begin
(iii) restrict access at physical locations containing nonpublic information, only to
authorized individuals;
new text end
new text begin
(iv) protect by encryption or other appropriate means all nonpublic information while
being transmitted over an external network and all nonpublic information stored on a laptop
computer or other portable computing or storage device or media;
new text end
new text begin
(v) adopt secure development practices for in-house developed applications utilized by
the licensee and procedures for evaluating, assessing, or testing the security of externally
developed applications utilized by the licensee;
new text end
new text begin
(vi) modify the information system in accordance with the licensee's information security
program;
new text end
new text begin
(vii) utilize effective controls, which may include multifactor authentication procedures
for any authorized individual accessing nonpublic information;
new text end
new text begin
(viii) regularly test and monitor systems and procedures to detect actual and attempted
attacks on, or intrusions into, information systems;
new text end
new text begin
(ix) include audit trails within the information security program designed to detect and
respond to cybersecurity events and designed to reconstruct material financial transactions
sufficient to support normal operations and obligations of the licensee;
new text end
new text begin
(x) implement measures to protect against destruction, loss, or damage of nonpublic
information due to environmental hazards, such as fire and water damage or other
catastrophes or technological failures; and
new text end
new text begin
(xi) develop, implement, and maintain procedures for the secure disposal of nonpublic
information in any format;
new text end
new text begin
(3) include cybersecurity risks in the licensee's enterprise risk management process;
new text end
new text begin
(4) stay informed regarding emerging threats or vulnerabilities and utilize reasonable
security measures when sharing information relative to the character of the sharing and the
type of information shared; and
new text end
new text begin
(5) provide its personnel with cybersecurity awareness training that is updated as
necessary to reflect risks identified by the licensee in the risk assessment.
new text end
new text begin
If the licensee has a board of directors, the
board or an appropriate committee of the board shall, at a minimum:
new text end
new text begin
(1) require the licensee's executive management or its delegates to develop, implement,
and maintain the licensee's information security program;
new text end
new text begin
(2) require the licensee's executive management or its delegates to report in writing, at
least annually, the following information:
new text end
new text begin
(i) the overall status of the information security program and the licensee's compliance
with this act; and
new text end
new text begin
(ii) material matters related to the information security program, addressing issues such
as risk assessment, risk management and control decisions, third-party service provider
arrangements, results of testing, cybersecurity events or violations and management's
responses thereto, and recommendations for changes in the information security program;
and
new text end
new text begin
(3) if executive management delegates any of its responsibilities under this section, it
shall oversee the development, implementation, and maintenance of the licensee's information
security program prepared by the delegate and shall receive a report from the delegate
complying with the requirements of the report to the board of directors.
new text end
new text begin
(a) A licensee shall
exercise due diligence in selecting its third-party service provider.
new text end
new text begin
(b) A licensee shall require a third-party service provider to implement appropriate
administrative, technical, and physical measures to protect and secure the information
systems and nonpublic information that are accessible to, or held by, the third-party service
provider.
new text end
new text begin
The licensee shall monitor, evaluate, and adjust, as
appropriate, the information security program consistent with any relevant changes in
technology, the sensitivity of its nonpublic information, internal or external threats to
information, and the licensee's own changing business arrangements, such as mergers and
acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to
information systems.
new text end
new text begin
(a) As part of its information security program, each
licensee shall establish a written incident response plan designed to promptly respond to,
and recover from, any cybersecurity event that compromises the confidentiality, integrity,
or availability of nonpublic information in its possession, the licensee's information systems,
or the continuing functionality of any aspect of the licensee's business or operations.
new text end
new text begin
(b) Such incident response plan shall address the following areas:
new text end
new text begin
(1) the internal process for responding to a cybersecurity event;
new text end
new text begin
(2) the goals of the incident response plan;
new text end
new text begin
(3) the definition of clear roles, responsibilities, and levels of decision-making authority;
new text end
new text begin
(4) external and internal communications and information sharing;
new text end
new text begin
(5) identification of requirements for the remediation of any identified weaknesses in
information systems and associated controls;
new text end
new text begin
(6) documentation and reporting regarding cybersecurity events and related incident
response activities; and
new text end
new text begin
(7) the evaluation and revision, as necessary, of the incident response plan following a
cybersecurity event.
new text end
new text begin
Annually, each
insurer domiciled in this state shall submit to the commissioner a written statement by
February 15 certifying that the insurer is in compliance with the requirements set forth in
this section. Each insurer shall maintain for examination by the department all records,
schedules, and data supporting this certificate for a period of five years. To the extent an
insurer has identified areas, systems, or processes that require material improvement,
updating, or redesign, the insurer shall document the identification and the remedial efforts
planned and underway to address such areas, systems, or processes. Such documentation
must be available for inspection by the commissioner.
new text end
new text begin
If the licensee learns that a cybersecurity event
has or may have occurred, the licensee, or an outside vendor or service provider designated
to act on behalf of the licensee, shall conduct a prompt investigation.
new text end
new text begin
During the investigation, the licensee, or an outside
vendor or service provider designated to act on behalf of the licensee, shall, at a minimum,
determine as much of the following information as possible:
new text end
new text begin
(1) determine whether a cybersecurity event has occurred;
new text end
new text begin
(2) assess the nature and scope of the cybersecurity event;
new text end
new text begin
(3) identify any nonpublic information that may have been involved in the cybersecurity
event; and
new text end
new text begin
(4) perform or oversee reasonable measures to restore the security of the information
systems compromised in the cybersecurity event in order to prevent further unauthorized
acquisition, release, or use of nonpublic information in the licensee's possession, custody,
or control.
new text end
new text begin
If the licensee learns that a cybersecurity event has or
may have occurred in a system maintained by a third-party service provider, the licensee
will complete the steps listed in subdivision 2 or confirm and document that the third-party
service provider has completed those steps.
new text end
new text begin
The licensee shall maintain records concerning all cybersecurity
events for a period of at least five years from the date of the cybersecurity event and shall
produce those records upon demand of the commissioner.
new text end
new text begin
Each licensee shall notify the
commissioner as promptly as possible but in no event later than 72 hours from a
determination that a cybersecurity event has occurred when either of the following criteria
has been met:
new text end
new text begin
(1) this state is the licensee's state of domicile, in the case of an insurer, or this state is
the licensee's home state, in the case of a producer, as those terms are defined in chapter
60K; or
new text end
new text begin
(2) the licensee reasonably believes that the nonpublic information involved is of 250
or more consumers residing in this state and that is either of the following:
new text end
new text begin
(i) a cybersecurity event impacting the licensee of which notice is required to be provided
to any government body, self-regulatory agency, or any other supervisory body pursuant
to any state or federal law; or
new text end
new text begin
(ii) a cybersecurity event that has a reasonable likelihood of materially harming:
new text end
new text begin
(A) any consumer residing in this state; or
new text end
new text begin
(B) any material part of the normal operations of the licensee.
new text end
new text begin
The licensee shall provide as much of the following
information as possible. The licensee shall provide the information in electronic form as
directed by the commissioner. The licensee shall have a continuing obligation to update
and supplement initial and subsequent notifications to the commissioner concerning the
cybersecurity event.
new text end
new text begin
(1) Date of the cybersecurity event;
new text end
new text begin
(2) Description of how the information was exposed, lost, stolen, or breached, including
the specific roles and responsibilities of third-party service providers, if any;
new text end
new text begin
(3) How the cybersecurity event was discovered;
new text end
new text begin
(4) Whether any lost, stolen, or breached information has been recovered and, if so, how
this was done;
new text end
new text begin
(5) The identity of the source of the cybersecurity event;
new text end
new text begin
(6) Whether the licensee has filed a police report or has notified any regulatory,
government, or law enforcement agencies and, if so, when such notification was provided;
new text end
new text begin
(7) Description of the specific types of information acquired without authorization.
Specific types of information means particular data elements including, for example, types
of medical information, types of financial information, or types of information allowing
identification of the consumer;
new text end
new text begin
(8) The period during which the information system was compromised by the
cybersecurity event;
new text end
new text begin
(9) The number of total consumers in this state affected by the cybersecurity event. The
licensee shall provide the best estimate in the initial report to the commissioner and update
this estimate with each subsequent report to the commissioner pursuant to this section;
new text end
new text begin
(10) The results of any internal review identifying a lapse in either automated controls
or internal procedures, or confirming that all automated controls or internal procedures were
followed;
new text end
new text begin
(11) Description of efforts being undertaken to remediate the situation which permitted
the cybersecurity event to occur;
new text end
new text begin
(12) A copy of the licensee's privacy policy and a statement outlining the steps the
licensee will take to investigate and notify consumers affected by the cybersecurity event;
and
new text end
new text begin
(13) Name of a contact person who is familiar with the cybersecurity event and authorized
to act for the licensee.
new text end
new text begin
The licensee shall comply with section 325E.61,
as applicable, and provide a copy of the notice sent to consumers under that statute to the
commissioner when a licensee is required to notify the commissioner under subdivision 1.
new text end
new text begin
(a)
In the case of a cybersecurity event in a system maintained by a third-party service provider,
of which the licensee has become aware, the licensee shall treat such event as it would under
subdivision 1.
new text end
new text begin
(b) The computation of a licensee's deadlines shall begin on the day after the third-party
service provider notifies the licensee of the cybersecurity event or the licensee otherwise
has actual knowledge of the cybersecurity event, whichever is sooner.
new text end
new text begin
(c) Nothing in this act shall prevent or abrogate an agreement between a licensee and
another licensee, a third-party service provider, or any other party to fulfill any of the
investigation requirements imposed under section 60A.9854 or notice requirements imposed
under this section.
new text end
new text begin
(a) In the
case of a cybersecurity event involving nonpublic information that is used by the licensee
that is acting as an assuming insurer or in the possession, custody, or control of a licensee
that is acting as an assuming insurer and that does not have a direct contractual relationship
with the affected consumers, the assuming insurer shall notify its affected ceding insurers
and the commissioner of its state of domicile within 72 hours of making the determination
that a cybersecurity event has occurred.
new text end
new text begin
(b) The ceding insurers that have a direct contractual relationship with affected consumers
shall fulfill the consumer notification requirements imposed under section 325E.61 and any
other notification requirements relating to a cybersecurity event imposed under this section.
new text end
new text begin
(c) In the case of a cybersecurity event involving nonpublic information that is in the
possession, custody, or control of a third-party service provider of a licensee that is an
assuming insurer, the assuming insurer shall notify its affected ceding insurers and the
commissioner of its state of domicile within 72 hours of receiving notice from its third-party
service provider that a cybersecurity event has occurred.
new text end
new text begin
(d) The ceding insurers that have a direct contractual relationship with affected consumers
shall fulfill the consumer notification requirements imposed under section 325E.61 and any
other notification requirements relating to a cybersecurity event imposed under this section.
new text end
new text begin
(a)
In the case of a cybersecurity event involving nonpublic information that is in the possession,
custody, or control of a licensee that is an insurer or its third-party service provider and for
which a consumer accessed the insurer's services through an independent insurance producer,
the insurer shall notify the producers of record of all affected consumers as soon as
practicable as directed by the commissioner.
new text end
new text begin
(b) The insurer is excused from this obligation for those instances in which it does not
have the current producer of record information for any individual consumer.
new text end
new text begin
(a) The commissioner shall have power to examine and investigate into the affairs of
any licensee to determine whether the licensee has been or is engaged in any conduct in
violation of this act. This power is in addition to the powers which the commissioner has
under section 60A.031. Any such investigation or examination shall be conducted pursuant
to section 60A.031.
new text end
new text begin
(b) Whenever the commissioner has reason to believe that a licensee has been or is
engaged in conduct in this state which violates this act, the commissioner may take action
that is necessary or appropriate to enforce the provisions of this act.
new text end
new text begin
Any documents, materials, or other information
in the control or possession of the department that are furnished by a licensee or an employee
or agent thereof acting on behalf of a licensee pursuant to section 60A.9853, subdivision
9; section 60A.9855, subdivision 2, clauses (2), (3), (4), (5), (8), (10), and (11); or that are
obtained by the commissioner in an investigation or examination pursuant to section
60A.9856 shall be classified as confidential, protected nonpublic, or both; shall not be
subject to subpoena; and shall not be subject to discovery or admissible in evidence in any
private civil action. However, the commissioner is authorized to use the documents, materials,
or other information in the furtherance of any regulatory or legal action brought as a part
of the commissioner's duties.
new text end
new text begin
Neither the commissioner nor any person who
received documents, materials, or other information while acting under the authority of the
commissioner shall be permitted or required to testify in any private civil action concerning
any confidential documents, materials, or information subject to subdivision 1.
new text end
new text begin
In order to assist in the performance of the commissioner's
duties under this act, the commissioner:
new text end
new text begin
(1) may share documents, materials, or other information, including the confidential and
privileged documents, materials, or information subject to subdivision 1, with other state,
federal, and international regulatory agencies, with the National Association of Insurance
Commissioners, its affiliates or subsidiaries, and with state, federal, and international law
enforcement authorities, provided that the recipient agrees in writing to maintain the
confidentiality and privileged status of the document, material, or other information;
new text end
new text begin
(2) may receive documents, materials, or information, including otherwise confidential
and privileged documents, materials, or information, from the National Association of
Insurance Commissioners, its affiliates or subsidiaries, and from regulatory and law
enforcement officials of other foreign or domestic jurisdictions, and shall maintain as
confidential or privileged any document, material, or information received with notice or
the understanding that it is confidential or privileged under the laws of the jurisdiction that
is the source of the document, material, or information;
new text end
new text begin
(3) may share documents, materials, or other information subject to subdivision 1, with
a third-party consultant or vendor provided the consultant agrees in writing to maintain the
confidentiality and privileged status of the document, material, or other information; and
new text end
new text begin
(4) may enter into agreements governing sharing and use of information consistent with
this subdivision.
new text end
new text begin
No waiver of any applicable privilege
or claim of confidentiality in the documents, materials, or information shall occur as a result
of disclosure to the commissioner under this section or as a result of sharing as authorized
in subdivision 3.
new text end
new text begin
Nothing in sections 60A.985 to 60A.9861 shall prohibit
the commissioner from releasing final, adjudicated actions that are open to public inspection
pursuant to chapter 13 to a database or other clearinghouse service maintained by the National
Association of Insurance Commissioners, its affiliates, or subsidiaries.
new text end
new text begin
The following exceptions shall apply to sections 60A.985 to
60A.9861:
new text end
new text begin
(1) a licensee with fewer than ten employees, including any independent contractors, is
exempt from section 60A.9853;
new text end
new text begin
(2) a licensee subject to Public Law 104-191, enacted August 21, 1996 (Health Insurance
Portability and Accountability Act), that has established and maintains an information
security program pursuant to such statutes, rules, regulations, procedures, or guidelines
established thereunder, will be considered to meet the requirements of section 60A.9853,
provided that the licensee is compliant with, and submits a written statement certifying its
compliance with, the same; and
new text end
new text begin
(3) an employee, agent, representative, or designee of a licensee, who is also a licensee,
is exempt from section 60A.9853 and need not develop its own information security program
to the extent that the employee, agent, representative, or designee is covered by the
information security program of the other licensee.
new text end
new text begin
In the event that a licensee ceases to qualify
for an exception, such licensee shall have 180 days to comply with this act.
new text end
new text begin
In the case of a violation of this act, a licensee may be penalized in accordance with
section 60A.052.
new text end
new text begin
The commissioner may, in accordance with chapter 14, issue such regulations as shall
be necessary to carry out the provisions of sections 60A.985 to 60A.9861.
new text end
new text begin
If any provisions of this act or the application thereof to any person or circumstance is
for any reason held to be invalid, the remainder of the act and the application of such
provision to other persons or circumstances shall not be affected thereby.
new text end
new text begin
This act shall take effect on ....... Licensees shall have one year from the effective date
of this act to implement section 60A.9853 and two years from the effective date of this act
to implement section 60A.9853, subdivision 6.
new text end