The administration of Gov. Tim Walz plans to propose legislation next year to tighten computer security at insurance companies in the state, following revelations that Minnesota Blue Cross Blue Shield allowed hundreds of thousands of serious cybersecurity vulnerabilities to collect on its computer systems over a period of years.
State Commerce Commissioner Steve Kelley said in an interview on Friday that his office will work with the Legislature early next year to draft and generate support for a state law adopting national standards for data security at insurance companies, including but not limited to health insurers.
The announcement comes less than a week after the Star Tribune reported that Minnesota Blue Cross, the state's largest health insurer, is working to eliminate as many of the 200,000 critical or severe cybersecurity vulnerabilities on its network servers as it can before the end of the year, following sharp prodding by a whistleblower. Minnesota Blue Cross said its customers' data are secure, and the not-for-profit insurer complies with existing legal requirements for data privacy and security.
The new Minnesota insurance cybersecurity law would give the state Commerce Department the power to investigate cybersecurity precautions and breaches at insurance companies, and it also would create a requirement that insurers notify the office when they experience a breach.
"We see the stories every day that companies are under attack from a variety of sources, whether they are individual hackers or government-sponsored intrusions. Consumers, and information held by insurance companies and related licensees, are always under attack," Kelley said. "So it is appropriate to take common-sense steps to increase the protections against cybersecurity as well as other kinds of threats to protect the information of consumers."
With Walz's support, Kelley said he will bring forward legislation in February to have Minnesota join the small but growing number of states adopting a model cybersecurity law for insurance companies.
"Minnesotans deserve peace of mind when it comes to privacy in the digital age," Walz said in an e-mailed statement. "Right now, insurance companies are trusted with our most private information. Establishing standards for data security will protect millions of consumers across the state, while strengthening our business community and economy. I look forward to working with industry partners and legislators on this important issue."
The model law was drafted in 2017 by the National Association of Insurance Commissioners (NAIC) after nearly two years of debate. Eight states including Michigan and Ohio have adopted the law.