House passes protections for private data collected by insurance companies

If you have an insurance policy, whether it’s life, health, homeowners or vehicle, chances are you parted with a lot of very personal information on an application for that policy.

Protecting that private data is the goal of HF1913, which was passed, as amended, 82-49 Monday. It now heads to the Senate where Sen. Paul Utke (R-Park Rapids) is the sponsor.

Sponsored by Rep. Steve Elkins (DFL-Bloomington), the bill would require insurance companies to establish an information security program to protect consumers’ private data and report “cybersecurity events” such as data breaches to the state.

“This bill addresses several high-profile data breaches of insurers and other financial institutions,” he said.

Rep. Steve Elkins

Elkins said the bill is based on model data security legislation to protect consumer information developed by the National Association of Insurance Commissioners.

Adopting uniform language also has other important benefits to Minnesota insurers, Elkins said.

“This process helps states adopt more uniform regulations across the U.S., and also enables Minnesota-based insurance companies to do business in other states without having to seek certification in every individual state,” he said.

Types of businesses that would be affected include: finance, health, life, property, fire, business and vehicle insurance companies subject to licensure by the state.

An information security program developed by an insurance company would need to:

• identify reasonably foreseeable threats;
• assess the likelihood of, and damage from, those threats;
• assess the sufficiency of policies, procedures, information systems, and other safeguards;
• implement information safeguards to manage identified threats; and
• identify a person responsible for the information security program.

A cybersecurity event would be defined as “an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system.”

Reports of an event would go to the Department of Commerce or Department of Health, depending on the type of data stolen. It would need to be reported within three business days.

Elkins successfully offered an amendment specifying how long licensed insurance companies would need to retain information about a cybersecurity event.

Rep. Eric Lucero (R-Dayton) said language in the bill, especially the definitions of terms, was “inefficient and duplicative” and did not conform very well to legal definitions in state statutes.

“We can be more specific; we can be refined; we have the option to do this right,” he said before unsuccessfully making a motion to table the bill.