Recently, the Minnesota Legislature passed a new series of laws, located at Minn. Stat. 60A.985, et. seq., regarding cybersecurity.
In brief, these laws require Title Insurance Agents, among others, to develop an Information Security Program to protect certain non-public data, as well as a Written Incident Response Plan. The laws also require Title Insurance Agents to self-report to the Department of Commerce and affected parties if a cybersecurity event occurs.
In review of the law, the good news is it appears if you have less than 25 employees, you are exempt from creating a Written Incident Response Plan and you are exempt from developing a Written Incident Response Plan. As we read the statute, you are NOT exempt from the reporting requirements. See Minn. Stat. 60A9856, Subdivision 1 (1) for more information on the exemption.
If you are an employee who holds an individual producers license and your employer has 25 or more employees; the law is unclear as to your requirements in creating a Written Incident Response Plan and developing a Written Incident Response Plan. While individual Licensees who are employees of license holding employers are exempt, the law is unclear regarding individual Licensees who are employees of non-license holding employers. Please see below for more information regarding ATGF’s understanding of each section of the new statute. The statute is new so it is recommended you do your own review, as well.
NOTE: this is not intended as a thorough review, but an overview of our understanding of the statutes.
Implementation of an Information Security Program is required for Licensees with more than 25 employees and requires:
There is a statutory duty to investigate a Cybersecurity Event under 60A.9852. Licensees with less than 25 employees are exempt from this statutory duty.
Requires all Licensees to notify to the Department of Commerce, the consumer and possibly others, in the event of a Cybersecurity event.
Notification is required by all Licensees -
- To STATE if. . .
o this state is the Licensee's state of domicile, in the case of an insurer, or this state is the Licensee's home state, in the case of a producer, as those terms are defined in chapter 60K and the Cybersecurity event has a reasonable likelihood of materially harming:
o OR the Licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in this state and that is either of the following:
- To the CONSUMER . . . if a Licensee is required to submit a report to the commissioner under subdivision 1, the Licensee shall notify any consumer residing in Minnesota if, as a result of the Cybersecurity Event reported to the commissioner, the consumer's nonpublic information was or is reasonably believed to have been acquired by an unauthorized person, and there is a reasonable likelihood of material harm to the consumer as a result of the Cybersecurity Event.
NOTE: There is some confusion in the fact that there is no statutory duty to investigate a Cybersecurity Event, but f a Cybersecurity Event occurs, notification is required “without unreasonable delay but in no event later than five business days from a determination that a Cybersecurity Event has occurred.” The event that triggers required notification is that there has been a determination that a Cybersecurity Event has occurred.
gives the Commissioner the power to investigate Licensees to determine whether the Licensee is in violation of Sections 60A.985 - 60A.9857. The Commissioner has the power to investigate when the Commissioner has “reason to believe” that a Licensee has been or is engaged in conduct in violation of these sections.
deals with Confidentiality due to the sharing of information, that otherwise would be private information, for the purposes of meeting the requirements of these sections.
- Information provided to meet the requirements of this section shall be classified as confidential, and shall not be subject to subpoena, nor shall the Commissioner nor anyone acting on behalf of the commissioner, be permitted to testify concerning this confidential material.
- Attorneys may not withhold information by use of attorney-client privilege, but for purposes of legal proceedings, attorneys do not waive their right to such privilege.
provides exceptions to requirements of these sections.
provides available penalties in the case of a violation of sections 60A.985 to 60A.9856. The penalties may be levied in accordance with section 60A.052.
provides that sections 60A.985 to 60A.9857 establish the exclusive state standards applicable to Licensees for data security, the investigation of a Cybersecurity Event, and notification of a Cybersecurity Event.
Jeffery A. Dobberpuhl
Vice President, ATGF
Phone: (952) 938-3544 ext 114
Jeffrey S. Ronbeck
VP, Quality Assurance and Compliance
Phone: (952) 938-3544 ext 113
Phone: (952) 938-3544 ext 115
Founded in 1960, ATGF provides best in class title insurance underwriting and services for more than 60 years. The company's mission is helping agents succeed through trusted products and services, innovative technology and amazing support. The company currently pursues this mission by underwriting, training and supporting agents in Colorado, Utah, Minnesota, North Dakota, Nevada, and Arizona. ATGF has maintained a strong Financial Stability Rating(r) (FSR) of A, Exceptional, from the independent rating agency, Demotech, Inc.