Businesses regulated by the Michigan Department of Financial and Insurance Services face upcoming deadlines for compliance with the Michigan Data Security Act.
On December 28, 2018, Michigan adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law (the “Act”). As an amendment to Michigan’s existing Insurance Code, MCL 500.550, et seq., the Act “establishes the exclusive standards . . . applicable to licensees for data security, the investigation of a cybersecurity event, and notification” to the Michigan Department of Financial and Insurance Services (DFIS). While the Act was passed in 2018, several requirements under the Act become effective on January 20, 2021, and businesses subject to the Act must take action to ensure they timely implement the required policies and procedures.
Insurance Businesses Subject to Michigan’s Data Security Model Law
Michigan-based insurers, insurance agents, and other entities licensed by the Michigan Department of Financial and Insurance Services must comply with the requirements of the Act.
The Act focuses on insurance companies, which are referred to in the Act as “licensees.” Section 553(g) of the Act defines licensee as any licensed insurer or producer required by DFIS to hold a certificate of authority, such as life & health, property & casualty, surplus lines, fraternal, and title insurers. However, the Act’s definition of licensee does not include any purchasing group or risk retention group chartered and licensed in a state other than Michigan, or a person acting as an assuming insurer domiciled in another state or jurisdiction.
Statutory Requirements and Deadlines
Those portions of the Act going into effect on January 20, 2021 require licensees having 25 or more employees to develop, implement, and maintain a written comprehensive written information security program that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system. This process will require licensees to conduct a risk assessment, identify employees who will be responsible for the security program, assess the sufficiency of its existing policies and procedures, and establish a written incident response plan. This security program must be implemented by January 20, 2022. Licensees will then have to certify compliance with these requirements by February 15 of each year. By January 20, 2023, these licensees must also implement measures appropriate to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider which will require updated contracts with service providers where appropriate.
Also beginning January 20, 2021, all licensees (regardless of number of employees) are subject to additional requirements relating to the investigation, reporting, and notification of security incidents. Under certain circumstances, licensees must notify DFIS within 10 days after a determination that a cybersecurity event involving nonpublic information has occurred. Licensees are also subject to additional requirements regarding notification to residents and consumer reporting agencies of cybersecurity events, and can be subject to civil and criminal penalties for failing to comply with these requirements.
How Mika Meyers Can Help
Compliance with the Act will require licensees to perform risk assessments and develop internal processes and documents ahead of the statutory deadlines identified above. Mika Meyers’ attorneys have experience helping clients work through these requirements. Businesses subject to the Act should reach out to Jennifer A. Puplava for more specific questions, assessment, and/or assistance.