In 2018, Governor Snyder signed into law a bill modifying Michigan’s Identity Theft Protection Act to exempt insurance companies from its data breach notification requirements. In connection with this bill, however, Governor Snyder signed another bill adding data security provisions to Michigan’s Insurance Code. This bill became mostly effective on January 20, 2021, with several additional provisions delayed until January 20, 2022 or 2023.
What companies must comply with Michigan’s new Insurance Code Data Security chapter?
The new Data Security chapter is applicable to licensed insurers, insurance producers (which are commonly referred to as insurance agents and include persons selling, soliciting, or negotiating insurance in Michigan), and other companies or individuals holding or required to hold a license or certificate of authority under Michigan’s Insurance Code, each of which are referred to as “Licensees.” The definition of insurer includes all individuals, companies, organizations, and other legal entities issuing insurance or surety contracts in Michigan. “Insurance” is broadly defined to include almost any kind of insurance, including life insurance, disability insurance, health insurance, car insurance, property and casualty insurance, and title insurance.
What information is covered?
The Michigan Insurance Code’s Data Security section is intended to protect two categories of information: (1) personal information and (2) nonpublic information.
Personal information is the more narrow category of information and receives greater protection. The new Data Security section defines personal information as the first name or initial of a Michigan resident combined with their last name (e.g., John Smith or J. Smith) and one or more of that resident’s (i) Social Security number, (ii) driver’s license number or state personal identification card number, or (iii) financial account number or credit or debit card number in combination with any code or password required to access any of that resident’s financial accounts.
Nonpublic information is more broadly defined, encompassing all information meeting the definition of personal information in addition to several other categories of data. Specifically, nonpublic information means any electronic information not publicly available that is any of the following: (i) business-related information of the insurer that could adversely impact the business, operations, or security of the insurer; (ii) any information that can be used to identify a consumer in combination with that consumer’s social security number, driver’s license or identification card number, financial account number, credit or debit card number, code or password for a financial account, or biometric records; or (iii) information or data in any form created by a health care provider or consumer that can identify that consumer and relates to that consumer’s (or their family’s) physical, mental, or behavioral health, the provision of health care to any consumer, or payment for the provision of health care to any consumer.
How must insurers protect nonpublic information?
Data breaches are called “cybersecurity events” under Michigan’s Insurance Code and are specifically defined to mean unauthorized access to and acquisition, disruption, or misuse of nonpublic information.
Generally, Licensees have three categories of responsibilities regarding nonpublic information involved in a cybersecurity event: (1) conducting investigations of cybersecurity events, (2) notifying the owner of any information maintained, but not owned, by the Licensee, and (3) notifying the Director of Michigan’s Department of Insurance and Financial Services.
If a Licensee determines a cybersecurity event has or may have occurred, the Licensee (or their vendor or service provider) must promptly investigate to determine whether a cybersecurity event has actually occurred, assess the nature and scope of the cybersecurity event, and identify any nonpublic information potentially involved. The Licensee must also promptly take reasonable measures to restore the security of its compromised information systems and maintain records of any cybersecurity event for at least 5 years from the date of the event.
Licensees must notify the owners of information the Licensee maintains but does not own of any cybersecurity events affecting that information. The Licensee is not required to provide this notice if the Licensee determines no Michigan residents are likely to experience an identity theft or a substantial loss or injury because of the cybersecurity event.
Licensees must also notify the Director of Michigan’s Department of Insurance and Financial Services, depending on the nature of the cybersecurity event.
What must notices to the Department of Insurance and Financial Services contain?
Licensees must notify the Director of Michigan’s Department of Insurance and Financial Services of a cybersecurity event within ten business days of determining that the event involved nonpublic information if the cybersecurity event has a sufficient impact on residents of the state of Michigan.
The notice must be in an electronic form provided by the Director (currently known as FIS 2359) and include as much of the following information as possible: (i) the date of the cybersecurity event, (ii) a description of how the data was exposed and the responsibility of any third-party service providers, (iii) how the cybersecurity event was discovered, (iv) whether and how any stolen data has been recovered, (v) the source of the cybersecurity event, (vi) whether and when any regulatory or law enforcement agencies have been notified, (vii) a description of the types of information stolen, (viii) the period of time the system was compromised, (ix) the number of Michigan residents affected, (x) the results of any internal review of automated controls or internal procedures, (xi) a description of any efforts to remediate the situation that allowed the cybersecurity event, (xii) a copy of the Licensee’s privacy policy, (xiii) the name of a contact person, and (xiv) a copy of any notice sent to consumers required under the Data Security provisions of Michigan’s Insurance Code. Licensees must update this information if there are any material changes.
How must insurers protect personal information?
Personal information will essentially always be nonpublic information, so Licensees must provide personal information the same protection discussed above. In addition, Licensees must notify Michigan residents of certain cybersecurity events.
Licensees must notify each Michigan resident whose personal information was accessed and acquired by an unauthorized person if that personal information was vulnerable. This notice is not required, however, if the Licensee determines the cybersecurity event is not likely to cause substantial loss or injury to, or result in the identity theft of, a Michigan resident. These notices must be provided without unreasonable delay, although a delay is allowed if it is necessary to determine the scope of the cybersecurity event, if it is needed to restore the security of the database, or if a law enforcement agency advises the Licensee that notice will impede an investigation or jeopardize national security.
If a Licensee is required to provide notice to more than 1,000 Michigan residents, the Licensee must also notify all national consumer reporting agencies of the number of Michigan residents notified and the time these residents were notified.
A Licensee subject to and in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and all related regulations is deemed to be in compliance with these requirements.
What must be in notices to Michigan residents?
In addition to timing requirements, the new Data Security provisions require notices to contain a general description of the cybersecurity event, a description of the type of personal information involved, a general description of anything the Licensee has done to protect against future security breaches, a telephone number where the resident may obtain assistance or more information, and a reminder to the resident to remain vigilant for incidents of fraud and identity theft.
The Licensee may provide this notice by mail or, if certain requirements are met, electronically or by phone. The Licensee can provide substitute notice, however, if providing notice using one of these methods would cost more than $250,000 or the notice must be sent to more than 500,000 residents. Substitute notice requires the Licensee to provide notice by emailing any residents it can, posting a conspicuous notice on its website, and notifying major statewide media.
What provisions are delayed until 2022 and 2023?
MCL 500.555(6) is delayed until January 20, 2023, and the remaining sections of MCL 500.555 all take effect on January 20, 2022.
MCL 500.555(6) will require Licensees to exercise due diligence in selecting third-party service providers. More specifically, this section will obligate Licensees to require their third-party service providers to implement appropriate measures to protect any information systems or nonpublic information accessible to the third-party service provider.
MCL 500.555 generally requires Licensees to develop and implement comprehensive written information security programs and incident response plans. The requirements for these programs are numerous and are outlined at length in the statute.
What protections do private individuals have under the new data security requirements?
Although the new data security provisions do not create any private cause of action for an insurer’s breach of its duties, private individuals can reasonably expect insurers to comply with their obligations as the penalty for violations from a single data breach can reach $750,000, depending on the size of the breach.
Other questions?
If you are concerned about complying with these or other data privacy and cybersecurity requirements, contact the knowledgeable business attorneys at Gielow Groom Terpstra & McEvoy in Muskegon for assistance with these and other modern legal challenges facing your business.
News and blog articles presented in this website are distributed for general information purposes only with the understanding that the author, publisher and distributor of articles is not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, GGTM assumes no liability whatsoever in connection with the use of any article. Pursuant to applicable rules of professional conduct, this communication may constitute Attorney Advertising.