The former Michigan Governor, Rick Snyder, signed, on 31 December 2018, a bill concerning insurance data security standards (HB 6491) (‘the Act’) into law, which amends the Insurance Code of 1956 (Act 218 of 1956) under §500.3101 et seq. of the Michigan Compiled Laws, to, among other things, establish standards for data security applicable to the insurance industry. In particular, the Act follows the National Association of Insurance Commissioners’ (‘NAIC’) Insurance Data Security Model Law (‘the Model Law’), which was adopted by NAIC in October 2017.
Josephine Cicchetti, Shareholder at Carlton Fields Jorden Burt, P.A., told DataGuidance, “South Carolina was the first state to adopt [an insurance data security act] in May 2018, making only minor changes to the Model Law. Within days of each other, Ohio and Michigan adopted [acts that] both largely follow [the Model Law] but make several distinguishing changes. Most notably, unlike the Model Law, which requires licensees to follow the state’s general law on breach notification to consumers, the Act contains specific data breach notification requirements that are exclusively applicable to licensees.”
The Act requires licensees, defined as a licensed insurer or producer, to develop, implement, and maintain a comprehensive written information security programme based on the licensees’ risk assessment. Furthermore, in relation to data breaches, the Act requires a licensee that owns or licenses data that are included in a database, and discovers a data breach or receives notice of a data breach, to provide affected Michigan residents with notice of the breach without unreasonable delay, in line with certain requirements outlined in the Act. In addition, the Act requires licensees to notify the Director of the Department of Insurance and Financial Services within ten business days after a determination that a data breach has occurred.
Next for possible action are New Hampshire, Nevada, Rhode Island, and Washington
Cicchetti noted, “The Model Law provides a framework ‘to establish standards for data security and standards for the investigation and notification of a cybersecurity event’ […] The Model Law is the culmination of several years of work by NAIC, beginning in late 2014 when it created the Cybersecurity (EX) Task Force (‘the Task Force’). The Task Force released several documents addressing insurance data security between 2014 and 2016, before adopting the Model Law.”
Under the Act, licensees must also establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises non-public information in the licensee’s possession. Such an incident response plan must address, among other things, the internal process for responding to a cybersecurity event, the goals of the incident response plan, external and internal communications and information sharing, and documentation and reporting regarding cybersecurity events.
Cicchetti concluded, “Next for possible action are New Hampshire, Nevada, Rhode Island, and Washington. It is expected that more states will act in 2019, however, there is no expectation that all 50 states will have moved on the Model Law by the end of 2019.”
BART VAN DER GEEST Privacy Analyst