August 1st Cybersecurity Statute Affecting Minnesota Title Agents

Summary

‍

Recently, the Minnesota Legislature passed a new series of laws, located at Minn. Stat. 60A.985, et. seq., regarding cybersecurity.

In brief, these laws require Title Insurance Agents, among others, to develop an Information Security Program to protect certain non-public data, as well as a Written Incident Response Plan. The laws also require Title Insurance Agents to self-report to the Department of Commerce and affected parties if a cybersecurity event occurs.

In review of the law, the good news is it appears if you have less than 25 employees, you are exempt from creating a Written Incident Response Plan and you are exempt from developing a Written Incident Response Plan. As we read the statute, you are NOT exempt from the reporting requirements. See Minn. Stat. 60A9856, Subdivision 1 (1) for more information on the exemption.

If you are an employee who holds an individual producers license and your employer has 25 or more employees; the law is unclear as to your requirements in creating a Written Incident Response Plan and developing a Written Incident Response Plan. While individual Licensees who are employees of license holding employers are exempt, the law is unclear regarding individual Licensees who are employees of non-license holding employers. Please see below for more information regarding ATGF’s understanding of each section of the new statute. The statute is new so it is recommended you do your own review, as well.

‍

Overview of Minn. Stat. 60A.985-60A.9858

NOTE: this is not intended as a thorough review, but an overview of our understanding of the statutes.

‍

Minn. Stat 60A.985

provides definitions:

• a.    A “Licensee” includes title producers and title insurers.

• b.    A “Cybersecurity Event” is defined as, “an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system.”

• a.     Note: Cybersecurity Event does not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization.

• b.     Cybersecurity Event does not include an event with regard to which the Licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

‍

60A.9851 –

Implementation of an Information Security Program is required for Licensees with more than 25 employees and requires:

• a.    Implementation of an InformationSecurity Program

• b.    The Licensee to have a Risk Assessment Program

• c.    The Licensee to have Risk Management Program

• d.    If the Licensee has a Board ofDirectors – the Board shall provide oversight.

• e.    Third Party Service Providers shall be chosen with care and be overseen by the Licensee

• f.     The Licensee to regularly adjust the above to match changes in technology, etc.

• g.    The Licensee to certify annually to the Department of Commerce they are maintain these programs.

‍

60A.9852 -

There is a statutory duty to investigate a Cybersecurity Event under 60A.9852. Licensees with less than 25 employees are exempt from this statutory duty.

‍

60A.9853 -

Requires all Licensees to notify to the Department of Commerce, the consumer and possibly others, in the event of a Cybersecurity event.

           Notification is required by all Licensees -

-       To STATE if. . .

o  this state is the Licensee's state of domicile, in the case of an insurer, or this state is the Licensee's home state, in the case of a producer, as those terms are defined in chapter 60K and the Cybersecurity event has a reasonable likelihood of materially harming:

• § any consumer residing in this state; or

• § any part of the normal operations of the Licensee; or

o  OR  the Licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in this state and that is either of the following:

• § a Cybersecurity Event impacting the Licensee of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or

• § a Cybersecurity Event that has are reasonable likelihood of materially harming:

• ·      any consumer residing in this state; or

• ·      any part of the normal operations of the Licensee

‍

-       To the CONSUMER . . . if a Licensee is required to submit a report to the commissioner under subdivision 1, the Licensee shall notify any consumer residing in Minnesota if, as a result of the Cybersecurity Event reported to the commissioner, the consumer's nonpublic information was or is reasonably believed to have been acquired by an unauthorized person, and there is a reasonable likelihood of material harm to the consumer as a result of the Cybersecurity Event.

‍

NOTE: There is some confusion in the fact that there is no statutory duty to investigate a Cybersecurity Event, but f a Cybersecurity Event occurs, notification is required “without unreasonable delay but in no event later than five business days from a determination that a Cybersecurity Event has occurred.” The event that triggers required notification is that there has been a determination that a Cybersecurity Event has occurred.

‍

60A.9854 -

gives the Commissioner the power to investigate Licensees to determine whether the Licensee is in violation of Sections 60A.985 - 60A.9857. The Commissioner has the power to investigate when the Commissioner has “reason to believe” that a Licensee has been or is engaged in conduct in violation of these sections.

‍

60A.9855 -

deals with Confidentiality due to the sharing of information, that otherwise would be private information, for the purposes of meeting the requirements of these sections.

-       Information provided to meet the requirements of this section shall be classified as confidential, and shall not be subject to subpoena, nor shall the Commissioner nor anyone acting on behalf of the commissioner, be permitted to testify concerning this confidential material.

-       Attorneys may not withhold information by use of attorney-client privilege, but for purposes of legal proceedings, attorneys do not waive their right to such privilege.

‍

60A.9856 -

provides exceptions to requirements of these sections.

• a.    If a Licensee has 25 employees or less, then the Licensee has no duty to comply with 9851 or 9852 (implementation of an Information Security Program or Statutory Duty to Investigate a Cybersecurity Event).

• b.    Employees/agents/etc. of a Licensee who are also Licensees themselves, are exempt from Sections 9851 and 9852 so long as the employer Licensee complies with such sections.

• c.    The Statute is unclear in defining whether a Licensee who works for a non-Licensee employer of more than 25 employees is exempt from the requirements of Sections 9851 and 9852.

‍

60A.9857 -

provides available penalties in the case of a violation of sections 60A.985 to 60A.9856. The penalties may be levied in accordance with section 60A.052.

‍

60A.9858  -

provides that sections 60A.985 to 60A.9857 establish the exclusive state standards applicable to Licensees for data security, the investigation of a Cybersecurity Event, and notification of a Cybersecurity Event.

‍

Please feel free to reach out to any of us at the ATGF Minnesota office for more information:

‍

Jeffery A. Dobberpuhl              

Vice President, ATGF                                              

jdobberpuhl@atgf.net

Phone: (952) 938-3544 ext 114

‍

Jeffrey S. Ronbeck

VP, Quality Assurance and Compliance

jronbeck@atgf.net

Phone: (952) 938-3544 ext 113

‍

Algon Buechler

General Counsel

abuechler@atgf.net

Phone: (952) 938-3544 ext 115