Michigan Enacts Insurance Data Security Model Law

Alston & Bird

Michigan enacted the Michigan Data Security Act on December 28, 2018, imposing stringent cybersecurity measures on any person (individual or corporate) licensed by the Michigan Department of Insurance and Financial Services. Based on the 2017 NAIC data security model law and nearly identical to the South Carolina Insurance Data Security Act, the Michigan statute will require insurance licensees to adopt a number of measures including a comprehensive written information security program (“WISP”), the submission of an annual certification of compliance to the Department of Insurance and Financial Services, and accelerated regulatory reporting to the Department in addition to individual and other notification obligations if a cybersecurity event exceeds certain thresholds.

Although the Michigan statute incorporates several notice and disclosure provisions currently contained in the Michigan ID Theft Prevention Act, in most key respects the law is identical to the South Carolina law, particularly regarding its key definitions, the implementation of a WISP, required security measures, the role of the board, third-party service providers, the incident response plan, and annual certifications and recordkeeping. However, unlike the South Carolina law, Michigan affords licensees 10 business days from the determination that a cybersecurity event has occurred to notify the director of the Department (unlike South Carolina’s 72-hour clock).

The law includes a phased implementation schedule, with all sections except for the WISP and third-party service provider oversight provisions taking effect on January 20, 2021. This includes the breach reporting provisions relating to cybersecurity event investigations, regulatory reporting, and individual notifications for breaches that were discovered or subject to notification after December 31, 2019. Licensees have until January 20, 2022 to implement the provisions regarding the WISP, and until January 20, 2023 to comply with the requirements relating to a licensee’s due diligence and oversight of third-party service providers, including requirements that third party service providers implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to or held by the third party service provider.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.