Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Michigan: Cybersecurity

Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

There is no specific cybersecurity law in the state of Michigan. Instead, relevant provisions can be under §§500.550 – 500.565 of Chapter 5 of the Michigan Compiled Laws ('Mich. Comp. Laws') ('the Data Security Act'), modelled after the National Association of Insurance Commissioners Insurance Data Security Model Law. The Data Security Act applies to the insurance sector and it took effect on 20 January 2021.

The Department of Insurance and Financial Services ('DIFS') is the State of Michigan's department responsible for regulating Michigan's financial industries including consumer finance, financial institutions, and insurance.

The Data Breach Notification Act ('the Data Breach Act'), is a new Act which provides additional notification requirements when processing sensitive personal information, the Data Breach Act is due to take effect on 20 January 2022 and was sent to Governor Gretchen Whitmer on 22 December 2020 for signature.

Please note that this Guidance Note refers to state-wide legislation for Michigan. In addition to state requirements outlined here, please note that federal cybersecurity requirements may be applicable under federal laws such as the Gramm-Leach-Bliley Act of 1999 ('GLBA') and the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). For more information, please refer to the following OneTrust DataGuidance Guidance Notes:

2. SCOPE OF APPLICATION

Not applicable.

3. GENERAL REQUIREMENTS

Not applicable.

3.1. Implementation of a cybersecurity framework

Each covered entity and third-party agent shall implement and maintain reasonable security measures designed to protect sensitive personally identifying information against a breach of security (§5(1) of the Data Breach Act). In order to implement such security measures, the covered entity or third-party agent shall consider (§5(2) of the Data Breach Act):

  • the size of the overed entity or third-party agent;
  • the amount of sensitive personally identifying information that is owned or licensed by the covered entity or maintained, processed, or accessed by the third-party agents in connection with providing services to a covered entity and the type of activities for which sensitive personally identifying information is accessed, acquired, or maintained by or on behalf of the covered entity; and
  • the covered-entity's or third-party's agent's costs to implement and maintain the security measures to protect against a breach of security relative to its resources.

3.2. Notification of cybersecurity incidents

General data breach notification requirements are provided under §445.61 et seq. of Chapter 445 of the Mich. Comp. Laws ('the Identity Theft Protection Act').

The Mich. Comp. Laws were amended by House Bill ('HB') 6406 ('the Amendment Act') which provides additional breach notification exceptions.

3.2.1.  In case of a cybersecurity incident, is there an obligation to notify the regulatory authority?

Not Applicable.

3.2.2. If yes, please describe the process, timeline, and any other formality that needs to be adhered to.

Not Applicable.

3.2.3. In case of a cybersecurity incident, are there other subjects that need to be notified?

Notification to data subjects

Notice must be provided to each resident who meets one or more of the following criteria (§445.72(1) of the Mich. Comp. Laws):

  • the resident's unencrypted and unredacted personal information was accessed and acquired by an unauthorised person; or
  • the resident's personal information was accessed and acquired in encrypted form by a person with unauthorised access to the encryption key.

If a covered entity that owns or licenses sensitive personally identifiable information determines under §7 of the Data Breach Act, that a breach has occurred, the covered entity must provide notice of the breach to each state resident, whose sensitive personally identifiable information was acquired in the breach, expeditiously as possible without unreasonable delay unless where exceptions under §9(3) of the Data Breach Act apply, the notice should be provided not later than 45 days after the covered entity determines the scope of the breach and restore the reasonable integrity to the database (§9(1) and (2) of the Data Breach Act).

Third party notification

If a third-party agent experiences a breach of security in the system maintained by the agent, the agent shall notify the covered entity of the breach of security as quickly as practicable (§15(1) of the Data Breach Act).

In addition, a person or agency that maintains a database that includes data that the person or agency does not own or license that discovers a breach of the security of the database shall provide a notice to the owner or licensor of the information of the security breach (§445.72(2) of the Mich. Comp. Laws).

3.2.4. Please outline any other bodies that might be notified.

Notification to consumer reporting agencies

A person or agency that must provide notice to more than 1,000 affected residents, must also notify each consumer reporting agency that complies and maintains files on consumers on a nationwide basis (§445.72(8) of the Mich. Comp. Laws).

3.3. Appointment of a security officer

Not applicable.

3.4. Other requirements

If a covered entity determines that a breach of security has or may have occurred, the covered entity shall conduct a good-faith and prompt investigation that includes ('§7 of the Data Breach Act'):

  • an assessment of the nature and scope of the breach;
  • identification of any sensitive personally identifying information that was involved in the breach and the identity of any state residents to whom that information relates;
  • a determination of whether the sensitive personally identifying information has been acquired is reasonably believed to have been acquired by an unauthorised person; and
  • identification and implementation of measures to resolve the security and confidentiality of the systems, if compromised in the breach.

For more information on the Mich. Comp. Laws notification requirements, please refer to OneTrust DataGuidance's Michigan – Data Breach Guidance Note.

4. REQUIREMENTS IN THE INSURANCE SECTOR

4.1. Definitions

Consumer: means an individual, including, but not limited to, an applicant, a policyholder, an insured, a beneficiary, a claimant, and a certificate holder, who is a resident of this state and whose non-public information is in a licensee's possession, custody, or control §553(b) of the Data Security Act).

Cybersecurity event: means an event that results in unauthorised access to and acquisition of, or disruption or misuse of, an information system or non-public information stored on an information system. Cybersecurity event does not include either of the following (§553(c) of the Data Security Act):

  • the unauthorised acquisition of encrypted non-public information if the encryption, process, or key is not also acquired, released, or used without authorisation; or
  • the unauthorised access to data by a person if the access meets both of the following criteria;
    • the person acted in good faith in accessing the data; and
    • the access was related to activities of the person.

Information security program: means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle non-public information (§553 (e) of the Data Security Act).

Information system: discrete set of electronic information resources organised for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic non-public information, as well as any specialised system such as an industrial or process controls system, a telephone switching and private branch exchange system, or an environmental control system (§553(f) of the Data Security Act).

Licensee: licensed insurers or producers, and other persons licensed or required to be licensed, authorised, registered, holding or required to hold a certificate of authority under the Data Security Act. Licensees do not include purchasing groups or risk retention groups chartered and licensed in a state other than Michigan, or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction (§553(g) of the Data Security Act).

Non-public information: means electronic information that is not publicly available information and is any of the following (§553(i) of the Data Security Act):

  • business-related information of a licensee, the tampering with which, or unauthorised disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee.
  • Aany information concerning a consumer that because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with any one or more of the following data elements:
    • social security number.
    • driver license number or non-driver identification card number;
    • financial account number, or credit or debit card number;
    • any security code, access code, or password that would permit access to a consumer's financial account; or
    • biometric records; or
  • any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to any of the following:
    • the past, present, or future physical, mental, or behavioural health or condition of any consumer or a member of the consumer's family;
    • the provision of health care to any consumer; or
    • payment for the provision of health care to any consumer.

Authorised individual: means an individual known to, and screened by, the licensee and determined to be necessary and appropriate to have access to the non-public information held by the licensee and its information systems (§553(a) of the Data Security Act).

Third-party service providers: means a person that is not a licensee and that contracts with a licensee to maintain, process, store, or otherwise is permitted access to non-public information, through its provision of services to the licensee (§553(l) of the Data Security Act).

4.2. Information security program implementation

A licensee shall designate one or more employees, an affiliate, or an outside vendor to act on behalf of the licensee that is responsible for the information security program (§555(3)(a) of the Data Security Act).

The Guidance outlines that organisations should take the following steps to help secure their businesses:

  • conduct a security and self-risk assessment, determine what to protect, what protections exist and where the gaps exist, and identify the tools you need to protect this information;
  • implement sound cybersecurity procedures and training for employees, educate employees on smart use of social media, how to spot suspicious emails, and not connecting to public Wi-Fi on a company device;
  • implement cybersecurity insurance as part the organisation's disaster recovery plan. If the organisation does not have such a plan, it should consider creating one, develop procedures, and identify threats and vulnerabilities; and
  • always back up important business systems and data, implement settings encouraging regular password changes, restrictions on the websites employees can access, as well as strong security software.

In connection with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the non-public information used by the licensee or in the licensee's possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program, based on the licensee's risk assessment (which is further detailed in section 3.5 below), that contains administrative, technical, and physical safeguards for the protection of non-public information and the licensee's information system (§555(1) of the Data Security Act).

A licensee's information security program must be designed to do all of the following (§555(2) of the Data Security Act):

  • protect the security and confidentiality of non-public information and the security of the information system;
  • protect against any threats or hazards to the security or integrity of non-public information and the information system;
  • protect against unauthorised access to or use of non-public information and minimise the likelihood of harm to any consumer; and
  • maintain policies and procedures for the secure disposal on a periodic basis of any non-public information that is no longer necessary for business operations or for other legitimate business purposes.

Based on its risk assessment, a licensee shall do all of the following (§555(4) of the Data Security Act):

  • design its information security program to mitigate the identified risks, commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the non-public information used by the licensee or in the licensee's possession, custody, or control; and
  • determine which of the following security measures are appropriate and implement those appropriate security measures:
    • placing access controls on information systems, including controls to authenticate and permit access only to authorised individuals to protect against the unauthorised acquisition of non-public information;
    • identifying and managing the data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes in accordance with their relative importance to business objectives and the organisation’s risk strategy;
    • restricting physical access to non-public information to authorised individuals only;
    • protecting by encryption or other appropriate means all non-public information while being transmitted over an external network and all non-public information stored on a laptop computer or other portable computing or storage device or media;
    • adopting secure development practices for in-house developed applications utilised by the licensee;
    • adding procedures for evaluating, assessing, or testing the security of externally developed applications used by the licensee;
    • modifying the information system in accordance with the licensee's information security program;
    • using effective controls, which may include multi-factor authentication procedures for employees accessing non-public information;
    • regularly testing and monitoring systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems;
    • including audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee;
    • implementing measures to protect against destruction, loss, or damage of non-public information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; and
    • developing, implementing, and maintaining procedures for the secure disposal of non-public information in any format.
  • include cybersecurity risks in the licensee's enterprise risk management process;
  • stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and
  • provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment.

A licensee shall monitor, evaluate, and adjust, as appropriate, the information security program consistent with any relevant changes in technology, the sensitivity of its non-public information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems (§555(7) of the Data Security Act).

4.3. Cybersecurity incidents

Investigation of a cybersecurity event

If the licensee learns that a cybersecurity event has or may have occurred, the licensee or an outside vendor or service provider, or both, designated to act on behalf of the licensee, shall conduct a prompt investigation (§557(1) of the Data Security Act).

During such investigation, the licensee, or an outside vendor or service provider, or both, designated to act on behalf of the licensee, shall, at a minimum, do as much of the following as possible (§557(2) of the Data Security Act):

  • determine whether a cybersecurity event has occurred;
  • assess the nature and scope of the cybersecurity event;
  • identify any non-public information that may have been involved in the cybersecurity event; and
  • perform or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event to prevent further unauthorised acquisition, release, or use of non-public information in the licensee's possession, custody, or control.

The licensee shall maintain records concerning all cybersecurity events for at least five years from the date of the cybersecurity event and shall produce those records on demand of the Director of the DIFS ('the Director') (§557(3) of the Data Security Act).

Notification to the Director

Each licensee shall notify the Director as promptly as possible, but not later than ten business days after a determination that a cybersecurity event involving non-public information in the possession of a licensee has occurred, when either of the following has been met (§559(1) of the Data Security Act):

  • Michigan is the licensee's state of domicile, for an insurer, or the licensee's home state, for an insurance producer as that term is defined in §500.1201 of the Data Security Act, and the cybersecurity event has a reasonable likelihood of materially harming either of the following:
    • a consumer residing in the State of the Michigan; or
    • any material part of a normal operation of the licensee;
  • the licensee reasonably believes that the non-public information involved 250 or more consumers residing in Michigan and is either of the following:
    • a cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or other supervisory body under any state or federal law; or
    • a cybersecurity event that has a reasonable likelihood of materially harming either of the following:
      • any consumer residing in this state; or
      • any material part of the normal operation of the licensee.

The licensee shall provide the information under this subsection in electronic form as directed by the Director (§559(2) of the Data Security Act).

The licensee has a continuing obligation to update the Director regarding any subsequent material changes to the previously provided notice relating to the cybersecurity event. The licensee shall provide as much of the following information as possible (§559(2) of the Data Security Act):

  • the date of the cybersecurity event;
  • a description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;
  • how the cybersecurity event was discovered;
  • whether any lost, stolen, or breached information has been recovered and, if so, how this was done;
  • the identity of the source of the cybersecurity event;
  • whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided;
  • a description of the specific types of information acquired without authorisation. As used in this subdivision, 'specific types of information' means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer;
  • the period during which the information system was compromised by the cybersecurity event;
  • the number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the Director and update this estimate with each subsequent report to the Director under this section;
  • the results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;
  • a description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;
  • a copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and
  • the name of a contact person who is both familiar with the cybersecurity event and authorised to act for the licensee.

The licensee should also comply with the notification requirements in a cybersecurity event that occurred in a system maintained by a third-party service provider (§559(4) of the Data Security Act).

Where the cybersecurity event involves non-public information that is used by the licensee when acting as an assuming insurer or in the possession, custody, or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affected consumers, the assuming insurer shall notify its affected ceding insurers and the Director of its state of domicile within ten business days after making the determination that a cybersecurity event has occurred. (§559(4) of the Data Security Act).

A licensee acting as an assuming insurer does not have other notice obligations relating to a cybersecurity event or other data breach under this section or any other law of the State of Michigan (§559(6) of the Data Security Act).

Where the cybersecurity event involves non-public information that is in the possession, custody, or control of a licensee that is an insurer or its third-party service provider for which a consumer accessed the insurer's services through an independent insurance producer, and for which consumer notice is required, the insurer shall notify the producers of record of all affected consumers of the cybersecurity event not later than the time at which notice is provided to the affected consumers. The insurer is excused from this obligation for any producer who is not authorised by law or contract to sell, solicit, or negotiate on behalf of the insurer, and in those instances in which the insurer does not have the current producer of record information for any individual consumer (§559(7) of the Data Security Act).

Notification to residents

Notification to residents in the State of Michigan is required unless the licensee has concluded that the cybersecurity event has not, or is not likely to, cause substantial loss or injury to, or result in identity theft with respect to, one or more residents. A licensee that owns or licenses data and that discovers a cybersecurity event, or receives notice of a cybersecurity event under §561(2) of the Data Security Act, shall provide a notice to each resident in the State of Michigan who meets one or more of the following (§561(1) of the Data Security Act):

  • that resident's unencrypted and unredacted personal information was accessed and acquired by an unauthorised person; or
  • that resident's personal information was accessed and acquired in encrypted form by a licensee with unauthorised access to the encryption key.

Where a licensee maintains a database that includes data that the licensee does not own or license, and discovers a breach of the security of the database, the licensee shall provide a notice of the cybersecurity event to the owner or licensor of the information, unless the licensee has determined that the event has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to one or more residents in the State of Michigan (§561(2) of the Data Security Act)

When establishing whether a cybersecurity event is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents in the State of Michigan under §561(1) or (2) of the Data Security Act, a licensee shall act with the care an ordinarily prudent person or agency in such a position would exercise under similar circumstances (§561(3) of the Data Security Act).

Notification timeframe

A licensee shall provide any notice required under this section without unreasonable delay. A licensee may delay providing notice without violating this subsection if either of the following is met (§561(4) of the Data Security Act):

  • a delay is necessary in order for the licensee to take any measures necessary to determine the scope of the cybersecurity event and restore the reasonable integrity of the database. However, the licensee shall provide the notice required under this subsection without unreasonable delay after the licensee completes the measures necessary to determine the scope of the cybersecurity event and restore the reasonable integrity of the database; or
  • a law enforcement agency determines and advises the licensee that providing a notice will impede a criminal or civil investigation or jeopardise homeland or national security. However, the licensee shall provide the notice required under this section without unreasonable delay after the law enforcement agency determines that providing the notice will no longer impede the investigation or jeopardise homeland or national security.

Form of notification

A licensee shall provide any notice required under this section by providing one or more of the following to the recipient (§561(5) of the Data Security Act):

  • written notice sent to the recipient at the recipient’s postal address in the records of the licensee;
  • written notice sent electronically to the recipient if any of the following are met:
    • the recipient has expressly consented to receive electronic notice;
    • the licensee has an existing business relationship with the recipient that includes periodic electronic mail communications and based on those communications the licensee reasonably believes that it has the recipient’s current electronic mail address; and
    • the licensee conducts its business primarily through internet account transactions or on the internet;
  • if not otherwise prohibited by state or federal law, notice given by telephone by an individual who represents the licensee if all of the following are met;
  • the notice is not given in whole or in part by use of a recorded message; and
  • the recipient has expressly consented to receive notice by telephone, or if the recipient has not expressly consented to receive notice by telephone, the licensee also provides notice as per the above if the notice by telephone does not result in a live conversation between the individual representing the licensee and the recipient within three business days after the initial attempt to provide telephonic notice.

A notice must meet all of the following (§561(6) of the Data Security Act):

  • for a notice provided under subsection (5)(a) or (b) of the Data Security Act, be written in a clear and conspicuous manner and contain the content required under subdivisions (c) to (g);
  • for a notice provided under subsection (5)(c) of the Data Security Act, clearly communicate the content required under subdivisions (c) to (g) to the recipient of the telephone call;
  • describe the cybersecurity event in general terms;
  • describe the type of personal information that is the subject of the unauthorised access or use;
  • if applicable, generally describe what the licensee providing the notice has done to protect data from further security breaches;
  • include a telephone number where a notice recipient may obtain assistance or additional information; and
  • remind notice recipients of the need to remain vigilant for incidents of fraud and identity theft.

A licensee may provide any notice required under this section under an agreement between the licensee and another licensee, if the notice provided under the agreement does not conflict with the Data Security Act (§561(7) of the Data Security Act).

Substitute notice

The Data Security Act provides a licensee to use a substitute notice, if the licensee demonstrates that the cost of providing notice under subdivision (a), (b), or (c) (mentioned above under Form of Notification) will exceed $250,000.00 or that the licensee has to provide notice to more than 500,000 residents of the State of Michigan. A licensee provides substitute notice under this subdivision by doing all of the following (§561(5)(d) of the Data Security Act):

  • if the licensee has electronic mail addresses for any of the residents of this state who are entitled to receive the notice, providing electronic notice to those residents;
  • if the licensee maintains a website, conspicuously posting the notice on that website; and
  • notifying major state wide media. A notification under this subparagraph must include a telephone number or a website address that a person may use to obtain additional assistance and information.

Notices to consumer reporting agencies

After a licensee provides a notice under §561 of the Data Security Act, the licensee shall notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act of 1970 of the cybersecurity event without unreasonable delay. A notification under this subsection must include the number of notices that the licensee has provided to residents in the State of Michigan and the timing of said notices. This subsection does not apply if either of the following is met (§561(8) of the Data Security Act):

  • the licensee is required under this section to provide notice of a cybersecurity event to 1,000 or fewer residents of the State of Michigan; or
  • the licensee is subject to the GLBA.

4.4. Powers / penalties

When a cybersecurity event has not occurred and a person provides notification of a cybersecurity event, with the intent to defraud, is guilty of a misdemeanor punishable as follows (§561(10) of the Data Security Act):

  • except as otherwise provided under subdivisions (b) and (c), by imprisonment for not more than 93 days or a fine of not more than $250 for each violation, or both;
  • for a second violation, by imprisonment for not more than 93 days or a fine of not more than $500 for each violation, or both; and
  • for a third or subsequent violation, by imprisonment for not more than 93 days or a fine of not more than $750 for each violation, or both.

Subject to §561(12) of the Data Security Act, a person that knowingly fails to provide a notice of a cybersecurity event may be ordered to pay a civil fine of not more than $250 or each failure to provide notice. The Attorney General of Michigan or a prosecuting attorney may bring an action to recover a civil fine under the Data Security Act (§561(11) of the Data Security Act).

The aggregate liability of a person for civil fines under §561(11) of the Data Security Act for multiple violations of §561(11) of the Data Security Act that arise from the same cybersecurity event must not exceed $750,000.00 (§561(12) of the Data Security Act). Moreover §§561 (10) and (11) of the Data Security Act do not affect the availability of any civil remedy for a violation of state or federal law.

4.5. Other

A licensee shall do all of the following (§555(3) of the Data Security Act):

  • identify reasonably foreseeable internal or external threats that could result in unauthorised access, transmission, disclosure, misuse, alteration, or destruction of non-public information, including the security of information systems and non-public information that are accessible to, or held by, third-party service providers;
  • assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the non-public information;
  • assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, including all of the following:
    • employee training and management;
    • information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal;
    • detecting, preventing, and responding to attacks, intrusions, or other systems failures; and
  • implement information safeguards to manage the threats identified in its ongoing assessment, and, no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures.

A licensee shall exercise due diligence in selecting its third-party service provider. A licensee shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and non-public information that are accessible to, or held by, the third-party service provider (§555(6) of the Mich. Comp. Laws).

A licensee that is subject to and complies with HIPAA, and with regulations promulgated under HIPAA Privacy and Security Rules, Parts 160 and 164 of Title 45 of the Code of Federal Regulations is considered to be in compliance with the Data Security Act (§561(9) of Data Security Act).

A licensee that has fewer than 25 employees, including any independent contractors, is exempt from the requirements of §555 of the Data Security Act mentioned above. A licensee subject to and in compliance with HIPAA, and with regulations promulgated under that act, is not required to comply with this chapter except for the requirements under §559 and 561 of the Data Security Act mentioned above. An employee, agent, representative, or designee of a licensee, who is also a licensee, is exempt from §555 of the Data Security Act and does not need to develop its own information security program to the extent that the employee, agent, representative, or designee is covered by the information security program of the other licensee (§565(1) to (3) of the Data Security Act).

5. REQUIREMENTS IN THE HEALTH SECTOR

5.1. Definitions

Not applicable.

5.2. Security program / framework

Not applicable.

5.3. Incidents

Not applicable.

5.4. Penalties

Not applicable.

5.5. Other

Not applicable.

For more information on federal cybersecurity obligations in the health sector please refer to the following OneTrust DataGuidance Guidance Note USA - HIPAA - Cybersecurity.

6. REQUIREMENTS IN THE FINANCIAL SECTOR

6.1. Definitions

Not applicable.

6.2. Security program / framework

Not applicable.

6.3. Incidents

Not applicable.

6.4. Penalties

Not applicable.

6.5. Other

Not applicable.

For more information on federal cybersecurity obligations in the final sector please refer to the following OneTrust DataGuidance Guidance Note USA - GLBA Safeguards Rule – Cybersecurity.

7. PENALTIES

Not applicable.

8. OTHER AREAS OF INTEREST

Not applicable.


Authored by OneTrust DataGuidance
DataGuidance's Privacy Analysts carry out research regarding global privacy
developments, and liaise with a network of lawyers, authorities and professionals to gain
insight into current trends. The Analyst Team work closely with clients to direct their
research for the production of topic-specific Charts.

Feedback