All Roll Calls
Yes: 136 • No: 1
North DakotaSB 20882025 Regular SessionSenateWALLET
AN ACT to amend and reenact subsection 4 of section 26.1-02.2-01, sections 26.1-02.2-05 and 26.1-02.2-07, and subsection 1 of section 26.1-02.2-08 of the North Dakota Century Code, relating to data security requirements for insurance producers; and to repeal section 26.1-02.2-11 of the North Dakota Century Code, relating to implementation dates for certain data security requirements for insurance producers.
Sponsored By: Senate Industry and Business
Became Law
Your PRIA Score
Score Hidden
Personalized for You
How does this bill affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Bill Overview
Analyzed Economic Effects
5 provisions identified: 3 benefits, 1 costs, 1 mixed.
Breach reports stay confidential with regulators
Information you give the Insurance Commissioner under this chapter is confidential and not a public record. It is not subject to subpoena or discovery and is not admissible in private civil lawsuits. The Commissioner may share it with other regulators, law enforcement, the NAIC, or consultants, but only under written confidentiality agreements. Materials held by the NAIC or those consultants remain confidential.
Exemptions for small and HIPAA licensees
Small licensees are exempt from most information security program rules in section 26.1-02.2-03 (subsections 2–10) if they have under $5,000,000 in gross revenue or under $10,000,000 in year‑end assets. From August 1, 2021 through July 31, 2023, those with fewer than 50 employees were exempt from section 26.1‑02.2‑03. Starting August 1, 2023, those with fewer than 25 employees are exempt. A licensee that follows HIPAA privacy, security, and breach rules and treats nonpublic data like protected health information is deemed compliant, but still must meet the Commissioner’s reporting rules. An employee or agent who is also a licensee does not need a separate program if already covered by another licensee’s program.
72-hour cybersecurity reporting for licensees
Licensees must tell the Insurance Commissioner as soon as possible, and no later than 72 hours, after they determine a qualifying cybersecurity event. You must notify when North Dakota is your domicile or home state and the event is likely to materially harm a North Dakota consumer or a material part of your operations. You also must notify if you believe the event involves nonpublic data of 250 or more North Dakota residents and either some law requires notice to any government body or the event is likely to materially harm consumers or operations. The notice must include key facts: when and how it happened, how it was found, what data types were involved, how long systems were compromised, how many North Dakotans were affected, any law‑enforcement reports, your fixes, your privacy policy, your consumer‑notice steps, and a contact person. If a third‑party service provider is involved, you must report unless the provider files the required notice, and you must give the Commissioner a copy of the consumer notice you send.
Old rollout dates for producers repealed
The law repeals section 26.1-02.2-11, which set rollout dates for some producer data security rules. Without that section, producers and other licensees follow the effective dates and duties in the rest of this chapter and any current rules.
What counts as a cybersecurity event
The law defines a “cybersecurity event” as unauthorized access to, disruption of, or misuse of an information system or nonpublic information. It excludes encrypted data if the encryption process or key was not also taken or used. It also excludes incidents where nonpublic information was accessed but not used or released and has been returned or destroyed. These rules apply to insurers, producers, and other licensees.
Sponsors & Cosponsors
Sponsor
Senate Industry and Business
Affiliation unavailable
Cosponsors
There are no cosponsors for this bill.
Roll Call Votes
House vote • 3/18/2025
Second reading, passed, yeas 93 nays 0
Yes: 93 • No: 0
Senate vote • 1/31/2025
Second reading, passed, yeas 43 nays 1
Yes: 43 • No: 1
Actions Timeline
Filed with Secretary Of State 03/26
3/27/2025HouseSigned by Governor 03/25
3/26/2025SenateSent to Governor
3/24/2025SenateSigned by President
3/24/2025SenateSigned by Speaker
3/24/2025HouseReturned to Senate
3/19/2025SenateSecond reading, passed, yeas 93 nays 0
3/18/2025HouseReported back, do pass, place on calendar 13 1 0
3/17/2025HouseCommittee Hearing 11:00
3/17/2025HouseIntroduced, first reading, referred Industry, Business and Labor Committee
2/18/2025HouseReceived from Senate
2/3/2025HouseSecond reading, passed, yeas 43 nays 1
1/31/2025SenateAmendment adopted, placed on calendar
1/30/2025SenateReported back amended, do pass, amendment placed on calendar 5 0 0
1/29/2025SenateCommittee Hearing 09:00
1/22/2025SenateIntroduced, first reading, referred Industry and Business Committee
1/7/2025Senate
Bill Text
Adopted by the Senate Industry and Business Committee
Enrollment
FIRST ENGROSSMENT
INTRODUCED
Related Bills
HB 1022 — AN ACT to provide an appropriation for defraying the expenses of the retirement and investment office.
SB 2018 — AN ACT to provide an appropriation for defraying the expenses of the department of commerce; to provide an appropriation to the attorney general; to provide an appropriation to the department of career and technical education; to provide an appropriation to the state fair association; to provide a contingent appropriation; to create and enact a new section to chapter 54-60 of the North Dakota Century Code, relating to department of commerce grant reporting requirements; to amend and reenact subsection 1 of section 10-30.5-02, sections 54-60-09, 54-60-19, 54-60-28, 54-60-29, 54-60-29.1, and 54-60-31 of the North Dakota Century Code, relating to the purpose of the North Dakota development fund, duties and talent strategy of the division of workforce development, the uncrewed aircraft systems program, the uncrewed aircraft systems program fund, the beyond visual line of sight uncrewed aircraft system program, and changing the name of the office of legal immigration to the global talent office; to authorize a Bank of North Dakota line of credit; to provide for a transfer; to provide an application; to provide an exemption; and to provide for a legislative management report.
SB 2323 — AN ACT to amend and reenact sections 57-51-15 and 57-51.1-07.5 of the North Dakota Century Code, relating to oil and gas gross production tax allocations and the state share of oil and gas tax allocations; to provide for a legislative management report; to provide an exemption; and to provide an effective date.
SB 2390 — AN ACT to create and enact three new sections to chapter 54-40.1 of the North Dakota Century Code, relating to a rural catalyst committee, grant program, and fund; to amend and reenact section 54-40.1-02 of the North Dakota Century Code, relating to definitions for regional planning councils; to provide an appropriation; and to provide for a transfer.
SB 2397 — AN ACT to create and enact a new subsection to section 57-51.1-03 of the North Dakota Century Code, relating to a limited exemption for development incentive wells; to amend and reenact sections 57-51-02.6, 57-51-05, and 57-51.1-01 of the North Dakota Century Code, relating to the temporary exemption for oil and gas wells employing a system to avoid flaring, an exemption from gross production tax for gas produced from certain enhanced oil recovery projects, and the definition of development incentive well; to provide an effective date; and to provide an expiration date.
SB 2370 — AN ACT to provide for a legislative management study regarding prescription drug transparency reporting under the federal drug discount program.