On December 28, 2018, Michigan followed the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the shape of Michigan H.B. 6491 (Act). By doing so, Michigan joins Ohio and South Carolina as the 0.33 country to undertake the Model Law and the fifth nation – in conjunction with Connecticut and New York – to have enacted cybersecurity guidelines targeted on coverage organizations. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (Please see our earlier coverage for extra statistics on Ohio and South Carolina’s adoption of the Model Law). Moreover, adoption of the Model Law continues to be gaining steam with Rhode Island probably next in line.
Michigan’s Act, which adds chapter 5A to Michigan’s Insurance Code, seeks to set up “the different requirements applicable to licensees for information protection, the research of a cybersecurity occasion” and sure regulatory notifications. MCL § 500.550. The Act defines licensees as people authorized, registered, or certified underneath Michigan insurance laws or required to be so. MCL § 500.553(g). This means all insurers, groups, and brokers doing business in Michigan are included. By contrast, reinsurers domiciled outdoor of Michigan in addition to danger retention corporations and buying agencies chartered and certified in every other kingdom are excluded from the Act. Id.
The Act requires licensees to:
Develop, put into effect, and hold a comprehensive information safety application that consists of administrative, technical, and bodily safeguards to shield nonpublic statistics and the licensee’s information device within one year of the powerful date of the Act;
Perform a threat assessment that includes determining the appropriateness of enforcing protections such as multifactor authentication, ordinary penetration trying out, and encrypting information at relaxation;
Develop a proper incident response plan to reply to a cybersecurity occasion as described;
Require third-party service companies to implement security measures to protect and cozy any facts systems and personal information by using January 20, 2023;
Report data breaches to the Superintendent inside ten (10) commercial enterprise days after willpower that a cybersecurity event has come about;
Certify compliance to the Insurance Department Director by way of filing a written declaration; and
Retain for five years all records supporting the certificate of compliance for inspection by the Superintendent.
While the Act largely tracks the Model Law, it departs from it in several substantial respects:
Private Action Provisions
The Act expressly forecloses the possibility that its adoption creates or implies a private reason of movement for violation of its provisions, however does no longer “curtail a private reason of action that could in any other case exist” below Michigan regulation. MCL § 500.550.
The Act specifies that any documents furnished to NAIC or other third-celebration representative are not a problem to the kingdom’s freedom of statistics act, subpoena, or discovery in a non-public action. MCL § 500.664(6).
Exclusive State Cybersecurity Standards
Similar to Ohio’s regulation, the Act “establishes the specific standards, for this nation, relevant to licensees for information safety, the research of a cybersecurity occasion, and notification to the director.” Id. The Act provides an additional protection for reinsurers, mentioning that they do now not have country word responsibilities out of doors of those distinctive under the Act. MCL § 500.560(6). The Act does no longer, of course, supersede federal privateness or facts security legal guidelines, inclusive of HIPAA.
Dedicated Customer Notice Provisions
While the Model Act assumes that customer observes obligations can be equivalent to those required below the country’s preferred statistics breach notification regulation, the Act creates enterprise-specific necessities. MCL § 500.561. In specific, the Act requires to observe of a cybersecurity occasion to any kingdom resident unless there’s an inexpensive dedication that the event “has no longer or is not in all likelihood to motive sizeable loss or damage” or bring about identification robbery. Id. Such word should be provided “without unreasonable postpone.” MCL § 500.561(b)(four).
In addition to this primary requirement, the Act’s consumer word provisions also offer for the following:
Written observe as well as the digital note, phone word or “substitute” notice (i.E. Website posting or word to statewide media) wherein particular conditions are met;
Reasonable delay of notice where it’s far important for remediation efforts, or if the delay is asked via regulation enforcement or national security company;
Notification to nationwide credit organizations where observe is required to more than 1,000 citizens; and
It provides a safe harbor for licensees challenge to and who comply with the consumer observe requirements of HIPAA and guidelines promulgated thereunder.
Good Faith Acquisition Safe Harbor
The Act excludes from its definition of cybersecurity occasion the unauthorized access to records with the aid of a person performing in “exact religion” and in a manner “related to the sports of the character.” MCL § 500.553(c)(ii)(A-B). The Act for that reason makes a specialty of the one’s breaches due to 0.33 events maximum possibly to be concentrated on touchy records for nefarious purposes. Like the Model Law, the Act excludes from the definition of cybersecurity event any nonpublic information that becomes encrypted. MCL § 500.553(c)(i).
Ten Day Reporting Requirement
In a circulate that is extra generous than the seventy-two-hour requirement of the Model Law and the three business days requirement of Ohio’s law, the Act requires a licensee to file a cybersecurity incident to the Department inside “ten commercial enterprise days” after a dedication that one has passed off. MCL § 500.559(1).
Additional Safe Harbor for In-State Licensees
Compared to the Model Act, the Act affords an extra safe harbor for Michigan-primarily based licensees, requiring a document most effective in which the cybersecurity occasion has an affordable probability of materially harming a customer or the licensee’s operations. MCL § 500.559(a)(iii). The Model Act affords this safe harbor handiest for out-of-state licensees.