North Dakota § 26.1-02.2-04 Investigation of a cybersecurity event

North Dakota Statutes

§ 26.1-02.2-04 — Investigation of a cybersecurity event

North Dakota § 26.1-02.2-04

Title 26.1Insurance

Ch. 26.1-02.2Insurance Data Security

This text of North Dakota § 26.1-02.2-04 (Investigation of a cybersecurity event) is published on Counsel Stack Legal Research, covering North Dakota primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

N.D. Cent. Code § 26.1-02.2-04 (2026).

Text

1.If a licensee learns a cybersecurity event has or may have occurred, the licensee, an outside vendor, or service provider designated to act on behalf of the licensee, shall conduct a prompt investigation.

2.During the investigation, the licensee or an outside vendor or service provider designated to act on behalf of the licensee, at a minimum shall:

a.Determine whether a cybersecurity event has occurred;

b.Assess the nature and scope of the cybersecurity event;

c.Identify any nonpublic information that may have been involved in the cybersecurity event; and

d.Perform or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event in order to prevent further unauthorized acquisition, release, or use of nonpublic information in

Free access — add to your briefcase to read the full text and ask questions with AI

1. If a licensee learns a cybersecurity event has or may have occurred, the licensee, an
outside vendor, or service provider designated to act on behalf of the licensee, shall
conduct a prompt investigation.
2. During the investigation, the licensee or an outside vendor or service provider
designated to act on behalf of the licensee, at a minimum shall:
a. Determine whether a cybersecurity event has occurred;
b. Assess the nature and scope of the cybersecurity event;
c. Identify any nonpublic information that may have been involved in the
cybersecurity event; and
d. Perform or oversee reasonable measures to restore the security of the
information systems compromised in the cybersecurity event in order to prevent
further unauthorized acquisition, release, or use of nonpublic information in the
licensee's possession, custody, or control.
3. If a licensee learns a cybersecurity event has or may have occurred in a system
maintained by a third-party service provider, the licensee shall complete the
requirements provided under subsection 2 or confirm and document that the
third-party service provider has completed the requirements.
4. The licensee shall maintain records concerning all cybersecurity events for a period of
at least five years from the date of the cybersecurity event and shall produce the
records upon demand of the commissioner.