1.    The following exceptions apply to this chapter:

a.    A licensee with less than five million dollars in gross revenue or less than ten million dollars in year-end assets is exempt from section 26.1-02.2-03.

b.    During the period beginning on August 1, 2021, and ending on July 31, 2023, a licensee with fewer than fifty employees, including independent contractors and employees of affiliated companies having access to nonpublic information used by the licensee or in the licensee’s possession, custody, or control, is exempt from section 26.1-02.2-03.

c.    After July 31, 2023, a licensee with fewer than twenty-five employees, including independent contractors and employees of affiliated companies having access to nonpublic information used by the licensee or in the licensee’s possession, custody, or control is exempt from section 26.1-02.2-03.

d.    A licensee that is subject to and governed by the privacy, security, and breach notification rules issued by the United States department of health and human services, title 45, Code of Federal Regulations, parts 160 and 164, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 [Pub. L. 104-191], and the federal Health Information Technology for Economic and Clinical Health Act [Pub. L. 111-5], and which maintains nonpublic information concerning a consumer in the same manner as protected health information is deemed to comply with the requirements of this chapter except for the commissioner notification requirements under subsections 1 and 2 of section 26.1-02.2-05.

e.    An employee, agent, representative, or designee of a licensee, that also is a licensee, is exempt from section 26.1-02.2-03 and is not required to develop an information security program to the extent the employee, agent, representative, or designee is covered by the information security program of the other licensee.

2.    If a licensee ceases to qualify for an exception, the licensee has one hundred eighty days to comply with this chapter.