On December 28, 2018, Michigan adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the form of Michigan H.B. 6491 (Act). By doing so, Michigan joins Ohio and South Carolina as the third state to adopt the Model Law and the fifth state – along with Connecticut and New York – to have enacted cybersecurity regulations focused on insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (Please see our prior coverage for more information on Ohio and South Carolina’s adoption of the Model Law). Moreover, adoption of the Model Law is still gaining steam with Rhode Island potentially next in line.
Michigan’s Act, which adds chapter 5A to Michigan’s Insurance Code, seeks to establish “the exclusive standards applicable to licensees for data security, the investigation of a cybersecurity event” and certain regulatory notifications. MCL § 500.550. The Act defines licensees as persons authorized, registered, or licensed under Michigan insurance laws or required to be so. MCL § 500.553(g). This means all insurers, agencies, and brokers doing business in Michigan are covered. By contrast, reinsurers domiciled outside of Michigan as well as risk retention groups and purchasing groups chartered and licensed in another state are excluded from the Act. Id.
The Act requires licensees to:
- Develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to protect nonpublic information and the licensee’s information system within one year of the effective date of the Act;
- Perform a risk assessment that includes determining the appropriateness of implementing protections such as multifactor authentication, regular penetration testing, and encrypting data at rest;
- Develop a formal incident response plan to respond to a cybersecurity event as defined;
- Require third-party service providers to implement security measures to protect and secure any information systems and personal information by January 20, 2023; and
- Report data breaches to the Superintendent within ten (10) business days after determination that a cybersecurity event has occurred.
While the Act largely tracks the Model Law, it departs from it in several significant respects:
Private Action Provisions
The Act expressly forecloses the possibility that its adoption creates or implies a private cause of action for violation of its provisions, but does not “curtail a private cause of action that would otherwise exist” under Michigan law. MCL § 500.550.
The Act specifies that any documents provided to NAIC or other third-party consultant are not subject to the state’s freedom of information act, subpoena, or discovery in a private action. MCL § 500.664(6).
Exclusive State Cybersecurity Standards
Similar to Ohio’s law, the Act “establishes the exclusive standards, for this state, applicable to licensees for data security, the investigation of a cybersecurity event, and notification to the director.” Id. The Act provides further protection for reinsurers, stating that they do not have state notice obligations outside of those specified under the Act. MCL § 500.560(6). The Act does not, of course, supersede federal privacy or data security laws, such as HIPAA.
Dedicated Customer Notice Provisions
While the Model Act assumes that customer notice obligations will be equivalent to those required under the state’s general data breach notification law, the Act creates industry-specific requirements. MCL § 500.561. In particular, the Act requires notice of a cybersecurity event to any state resident unless there is a reasonable determination that the event “has not or is not likely to cause substantial loss or injury” or result in identity theft. Id. Such notice must be provided “without unreasonable delay.” MCL § 500.561(b)(4).
In addition to this basic requirement, the Act’s customer notice provisions also provide for the following:
- Written notice as well as electronic notice, telephone notice or “substitute” notice (i.e. website posting or notice to statewide media) where specific conditions are met;
- Reasonable delay of notice where it is necessary for remediation efforts, or if the delay is requested by a law enforcement or national security agency;
- Notification to nationwide credit agencies where notice is required to more than 1,000 residents; and
- It provides a safe harbor for licensees subject to and who comply with the customer notice requirements of HIPAA and regulations promulgated thereunder.
Good Faith Acquisition Safe Harbor
The Act excludes from its definition of cybersecurity event the unauthorized access to data by a person acting in “good faith” and in a manner “related to the activities of the person.” MCL § 500.553(c)(ii)(A-B). The Act thus focuses on those breaches caused by third parties most likely to be targeting sensitive data for nefarious purposes. Like the Model Law, the Act excludes from the definition of cybersecurity event any nonpublic information that was encrypted. MCL § 500.553(c)(i).
Ten Day Reporting Requirement
In a move that is more generous than the 72-hour requirement of the Model Law and the three business days requirement of Ohio’s law, the Act requires a licensee to report a cybersecurity incident to the Department within “ten business days” after a determination that one has occurred. MCL § 500.559(1).
Additional Safe Harbor for In-State Licensees
Compared to the Model Act, the Act provides an additional safe harbor for Michigan-based licensees, requiring a report only where the cybersecurity event has a reasonable likelihood of materially harming a consumer or the licensee’s operations. MCL § 500.559(a)(i-ii). The Model Act provides this safe harbor only for out-of-state licensees.
De Minimis Exception
Licensees with fewer than 25 employees including independent contractors are excluded from certain requirements of the Act. MCL § 500.565(2).