Feb 112019

Michigan Adopts National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law

Thomas D. Cunningham and Shay Banerjee
, , , , , , ,

On December 28, 2018, Michigan adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the form of Michigan H.B. 6491 (Act). By doing so, Michigan joins Ohio and South Carolina as the third state to adopt the Model Law and the fifth state – along with Connecticut and New York – to have enacted cybersecurity regulations focused on insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (Please see our prior coverage for more information on Ohio and South Carolina’s adoption of the Model Law).  Moreover, adoption of the Model Law is still gaining steam with Rhode Island potentially next in line.

Michigan’s Act, which adds chapter 5A to Michigan’s Insurance Code, seeks to establish “the exclusive standards applicable to licensees for data security, the investigation of a cybersecurity event” and certain regulatory notifications.  MCL § 500.550. The Act defines licensees as persons authorized, registered, or licensed under Michigan insurance laws or required to be so. MCL § 500.553(g). This means all insurers, agencies, and brokers doing business in Michigan are covered.  By contrast, reinsurers domiciled outside of Michigan as well as risk retention groups and purchasing groups chartered and licensed in another state are excluded from the Act.  Id.

The Act requires licensees to:

  • Develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to protect nonpublic information and the licensee’s information system within one year of the effective date of the Act;
  • Perform a risk assessment that includes determining the appropriateness of implementing protections such as multifactor authentication, regular penetration testing, and encrypting data at rest;
  • Develop a formal incident response plan to respond to a cybersecurity event as defined;
  • Require third-party service providers to implement security measures to protect and secure any information systems and personal information by January 20, 2023; and
  • Report data breaches to the Superintendent within ten (10) business days after determination that a cybersecurity event has occurred.

While the Act largely tracks the Model Law, it departs from it in several significant respects:

Private Action Provisions

The Act expressly forecloses the possibility that its adoption creates or implies a private cause of action for violation of its provisions, but does not “curtail a private cause of action that would otherwise exist” under Michigan law. MCL § 500.550.

FOIA Protections

The Act specifies that any documents provided to NAIC or other third-party consultant are not subject to the state’s freedom of information act, subpoena, or discovery in a private action. MCL § 500.664(6).

Exclusive State Cybersecurity Standards

Similar to Ohio’s law, the Act “establishes the exclusive standards, for this state, applicable to licensees for data security, the investigation of a cybersecurity event, and notification to the director.” Id. The Act provides further protection for reinsurers, stating that they do not have state notice obligations outside of those specified under the Act. MCL § 500.560(6). The Act does not, of course, supersede federal privacy or data security laws, such as HIPAA.

Dedicated Customer Notice Provisions

While the Model Act assumes that customer notice obligations will be equivalent to those required under the state’s general data breach notification law, the Act creates industry-specific requirements. MCL § 500.561. In particular, the Act requires notice of a cybersecurity event to any state resident unless there is a reasonable determination that the event “has not or is not likely to cause substantial loss or injury” or result in identity theft. Id. Such notice must be provided “without unreasonable delay.” MCL § 500.561(b)(4).

In addition to this basic requirement, the Act’s customer notice provisions also provide for the following:

  • Written notice as well as electronic notice, telephone notice or “substitute” notice (i.e. website posting or notice to statewide media) where specific conditions are met;
  • Reasonable delay of notice where it is necessary for remediation efforts, or if the delay is requested by a law enforcement or national security agency;
  • Notification to nationwide credit agencies where notice is required to more than 1,000 residents; and
  • It provides a safe harbor for licensees subject to and who comply with the customer notice requirements of HIPAA and regulations promulgated thereunder.

Good Faith Acquisition Safe Harbor

The Act excludes from its definition of cybersecurity event the unauthorized access to data by a person acting in “good faith” and in a manner “related to the activities of the person.” MCL § 500.553(c)(ii)(A-B). The Act thus focuses on those breaches caused by third parties most likely to be targeting sensitive data for nefarious purposes.  Like the Model Law, the Act excludes from the definition of cybersecurity event any nonpublic information that was encrypted. MCL § 500.553(c)(i).

Ten Day Reporting Requirement

In a move that is more generous than the 72-hour requirement of the Model Law and the three business days requirement of Ohio’s law, the Act requires a licensee to report a cybersecurity incident to the Department within “ten business days” after a determination that one has occurred. MCL § 500.559(1).

Additional Safe Harbor for In-State Licensees

Compared to the Model Act, the Act provides an additional safe harbor for Michigan-based licensees, requiring a report only where the cybersecurity event has a reasonable likelihood of materially harming a consumer or the licensee’s operations. MCL § 500.559(a)(i-ii). The Model Act provides this safe harbor only for out-of-state licensees.

De Minimis Exception

Licensees with fewer than 25 employees including independent contractors are excluded from certain requirements of the Act. MCL § 500.565(2).

Thomas D. Cunningham

Chicago

tcunningham@sidley.com

Shay Banerjee

sbanerjee@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.