ND LEG Insurer Cybersecurity Events

Published on: Apr 1, 2025

On Mar. 26, ND LEG passed bill on insurer data security requirements.

  • ND LEG passed SB 2088 on data security requirements for insurance producers.
  • Amended ND INS 26.1-02.2-01 (data security), ND INS 26.1-02.2-05 (notification of event), ND INS 26.1-02.2-07 (confidentiality), ND INS 26.1-02.2-08 (exceptions).
  • Also repealed ND INS 26.1-02.2-11 (implementation dates for certain requirements).
  • Bill Provisions
  • Removed exception to cybersecurity event for data returned, destroyed, or not used.
  • Deleted reasonable likelihood of materially harming a consumer from factors requiring insurers to report cybersecurity events to the commissioner of insurance.
  • Removed requirement for consent of insurer before making investigation data public.
  • Deleted exception to requirements made for insurers with fewer than 25 employees.
  • Legislative History
  • On Jan. 7, 2025, bill introduced in Senate; on Jan. 31, 2025, bill passed the Senate.
  • On Feb. 18, 2025, bill introduced in House; on Mar. 18, 2025, bill passed the House.
  • On Mar. 24, 2025 bill sent to governor; on Mar. 26, 2025, bill signed by governor.
  • Effectiveness
  • Per ND Constitution, upon approval by governor bill will become effective Aug. 1, 2025
Regulators
ND LEG
Entity Types
Ins
Reference
Bill SB2088, 3/26/2025; Citation: *ND INS* 26.1-02.2-01, 26.1-02.2-05, 26.1-02.2-07, 26.1-02.2-08, 26.1-02.2-11;
Functions
Compliance; Cyber; Legal; Operations; Reporting; Technology
Countries
United States of America
Category
State
N/A
Products
Insurance; Insurance-Casualty; Insurance-Health; Insurance-Life; Insurance-Property
Rule Type
Final
Regions
Am
Rule Date
Mar 26, 2025
Effective Date
Aug 1, 2025
Rule ID
248518
Linked to
N/A
Reg. Last Update
Mar 26, 2025
Report Section
US Insurance