Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

House passes protections for private data collected by insurance companies

If you have an insurance policy, whether it’s life, health, homeowners or vehicle, chances are you parted with a lot of very personal information on an application for that policy.

Protecting that private data is the goal of HF1913, which was passed, as amended, 82-49 Monday. It now heads to the Senate where Sen. Paul Utke (R-Park Rapids) is the sponsor.

Sponsored by Rep. Steve Elkins (DFL-Bloomington), the bill would require insurance companies to establish an information security program to protect consumers’ private data and report “cybersecurity events” such as data breaches to the state.

“This bill addresses several high-profile data breaches of insurers and other financial institutions,” he said.

Elkins said the bill is based on model data security legislation to protect consumer information developed by the National Association of Insurance Commissioners.

Adopting uniform language also has other important benefits to Minnesota insurers, Elkins said.

“This process helps states adopt more uniform regulations across the U.S., and also enables Minnesota-based insurance companies to do business in other states without having to seek certification in every individual state,” he said.

Types of businesses that would be affected include: finance, health, life, property, fire, business and vehicle insurance companies subject to licensure by the state.

An information security program developed by an insurance company would need to:

  • identify reasonably foreseeable threats;
  • assess the likelihood of, and damage from, those threats;
  • assess the sufficiency of policies, procedures, information systems, and other safeguards;
  • implement information safeguards to manage identified threats; and
  • identify a person responsible for the information security program.

A cybersecurity event would be defined as “an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system.”

Reports of an event would go to the Department of Commerce or Department of Health, depending on the type of data stolen. It would need to be reported within three business days.

Elkins successfully offered an amendment specifying how long licensed insurance companies would need to retain information about a cybersecurity event.

Rep. Eric Lucero (R-Dayton) said language in the bill, especially the definitions of terms, was “inefficient and duplicative” and did not conform very well to legal definitions in state statutes.

“We can be more specific; we can be refined; we have the option to do this right,” he said before unsuccessfully making a motion to table the bill.


Related Articles

Priority Dailies

House passes tax package that includes rebate checks, $1 billion in new revenues
Rep. Aisha Gomez and House Majority Leader Jamie Long talk during a break in the May 20 debate on HF1938, the tax finance and policy bill. (Photo by Catherine Davis) Is it the largest tax cut in Minnesota history? Or the biggest tax hike the state has ever experienced? Could it be both? That’s the crux of the debate about the conference ...
House passes finalized cannabis legalization bill, sends it to Senate
A supporter of cannabis legalization demonstrates in front of the Capitol in 2021. The House repassed a bill to legalize recreational cannabis, as amended in conference committee, May 18 and sent HF100 to the Senate. (House Photography file photo) The House gave the green light to adult-use recreational cannabis Thursday. “The day has finally arrived. Today is the day that we are going to vote here in the House for th...

Minnesota House on Twitter