Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

House passes protections for private data collected by insurance companies

If you have an insurance policy, whether it’s life, health, homeowners or vehicle, chances are you parted with a lot of very personal information on an application for that policy.

Protecting that private data is the goal of HF1913, which was passed, as amended, 82-49 Monday. It now heads to the Senate where Sen. Paul Utke (R-Park Rapids) is the sponsor.

Sponsored by Rep. Steve Elkins (DFL-Bloomington), the bill would require insurance companies to establish an information security program to protect consumers’ private data and report “cybersecurity events” such as data breaches to the state.

“This bill addresses several high-profile data breaches of insurers and other financial institutions,” he said.

Elkins said the bill is based on model data security legislation to protect consumer information developed by the National Association of Insurance Commissioners.

Adopting uniform language also has other important benefits to Minnesota insurers, Elkins said.

“This process helps states adopt more uniform regulations across the U.S., and also enables Minnesota-based insurance companies to do business in other states without having to seek certification in every individual state,” he said.

Types of businesses that would be affected include: finance, health, life, property, fire, business and vehicle insurance companies subject to licensure by the state.

An information security program developed by an insurance company would need to:

  • identify reasonably foreseeable threats;
  • assess the likelihood of, and damage from, those threats;
  • assess the sufficiency of policies, procedures, information systems, and other safeguards;
  • implement information safeguards to manage identified threats; and
  • identify a person responsible for the information security program.

A cybersecurity event would be defined as “an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system.”

Reports of an event would go to the Department of Commerce or Department of Health, depending on the type of data stolen. It would need to be reported within three business days.

Elkins successfully offered an amendment specifying how long licensed insurance companies would need to retain information about a cybersecurity event.

Rep. Eric Lucero (R-Dayton) said language in the bill, especially the definitions of terms, was “inefficient and duplicative” and did not conform very well to legal definitions in state statutes.

“We can be more specific; we can be refined; we have the option to do this right,” he said before unsuccessfully making a motion to table the bill.

 


Related Articles


Priority Dailies

Rep. Thompson to apologize for saying member is 'a racist,' ethics complaint dismissed
Rep. John Thompson (DFL-St. Paul) has agreed to apologize the next time the House convenes for calling a Republican member racist during the June 19 special session.
House caps off special session by passing omnibus tax bill
The bill would produce $49.1 billion in revenue in the 2022-23 biennium that started Thursday and provide $4.2 billion in refunds, aids and credits, including $761 million in new tax cuts and credits.

Minnesota House on Twitter