Michigan-Based Insurance Licensees Now Subject to New Data Security Requirements
Under new rules put forth by the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law and adopted by the Michigan legislature in 2018, Michigan-based insurance licensees are now subject to additional requirements relating to data security as of Jan. 20, 2021. The new rules are codified as chapter 5A of the Insurance Code (the "Act") and focus on regulating "licensees," which are defined as "any licensed insurer or producer required by DIFS to hold a certificate of authority, such as life & health, property & casualty, surplus lines, fraternal, and title insurers."
The portions of the Act that became effective on January 20 include terms requiring licensees:
- with 25 or more employees to develop, implement, and maintain a comprehensive written information security program (WISP) that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system, in addition a written incident response plan; and
- to contractually bind their third-party service providers to implement appropriate measures to protect and secure the information systems and nonpublic information they can access or hold.
Notably, many of these requirements are similar to those of the federal Gramm-Leach-Bliley Act (GLBA)'s Safeguards Rule, which also imposes data privacy-related obligations on "financial institutions," including insurance agencies.
If the event is likely to cause substantial loss or injury, or result in identity theft, to one or more Michigan residents, the licensee must provide notice to each resident whose personal information was accessed without authorization. Non-Michigan licensees are only required to notify DIFS of a security breach if 250 Michigan residents are impacted; for Michigan licensees, there is no such threshold.
What this means for you:
- If you are a licensee with 25 or more employees, you are required to have a WISP in place.
- If you are a licensee with 25 or more employees, you are required to have contractual terms in place that require third-party service providers to implement security measures to protect the data that you share with them.
- If you are a licensee of any size and you experience a data breach of any size, you must provide DIFS with a detailed notification, including whether your controls and procedures contributed to the security event.