Subdivision 1. Generally. The following exceptions shall apply to sections 60A.985 to 60A.9857:
(1) a licensee with fewer than 25 employees is exempt from sections 60A.9851 and 60A.9852;
(2) a licensee subject to and in compliance with the Health Insurance Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936 (HIPAA), is considered to comply with sections 60A.9851, 60A.9852, and 60A.9853, subdivisions 3 to 5, provided the licensee submits a written statement certifying its compliance with HIPAA;
(3) a licensee affiliated with a depository institution that maintains an information security program in compliance with the interagency guidelines establishing standards for safeguarding customer information as set forth pursuant to United States Code, title 15, sections 6801 and 6805, shall be considered to meet the requirements of section 60A.9851 provided that the licensee produce, upon request, documentation satisfactory to the commission that independently validates the affiliated depository institution's adoption of an information security program that satisfies the interagency guidelines;
(4) an employee, agent, representative, or designee of a licensee, who is also a licensee, is exempt from sections 60A.9851 and 60A.9852 and need not develop its own information security program to the extent that the employee, agent, representative, or designee is covered by the information security program of the other licensee; and
(5) an employee, agent, representative, or designee of a producer licensee, as defined under section 60K.31, subdivision 6, who is also a licensee, is exempt from sections 60A.985 to 60A.9857.
Subd. 2. Exemption lapse; compliance. In the event that a licensee ceases to qualify for an exception, such licensee shall have 180 days to comply with sections 60A.985 to 60A.9858.
History:1Sp2021 c 4 art 3 s 11