If you have an insurance policy, whether it’s life, health, homeowners or vehicle, chances are you parted with a lot of very personal information on an application for that policy.
Sponsored by Rep. Steve Elkins (DFL-Bloomington), the bill would require insurance companies to establish an information security program to protect consumers’ private data and report “cybersecurity events” such as data breaches to the state.
“This bill addresses several high-profile data breaches of insurers and other financial institutions,” he said.
Adopting uniform language also has other important benefits to Minnesota insurers, Elkins said.
“This process helps states adopt more uniform regulations across the U.S., and also enables Minnesota-based insurance companies to do business in other states without having to seek certification in every individual state,” he said.
Types of businesses that would be affected include: finance, health, life, property, fire, business and vehicle insurance companies subject to licensure by the state.
An information security program developed by an insurance company would need to:
A cybersecurity event would be defined as “an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system.”
Reports of an event would go to the Department of Commerce or Department of Health, depending on the type of data stolen. It would need to be reported within three business days.
Elkins successfully offered an amendment specifying how long licensed insurance companies would need to retain information about a cybersecurity event.
Rep. Eric Lucero (R-Dayton) said language in the bill, especially the definitions of terms, was “inefficient and duplicative” and did not conform very well to legal definitions in state statutes.
“We can be more specific; we can be refined; we have the option to do this right,” he said before unsuccessfully making a motion to table the bill.