On Friday, Dec. 28, 2018, the Michigan Governor signed House Bill 6491 sponsored by Rep. Lana Theis (R-Brighton) establishing the Michigan Data Security Act, which holds insurance companies to a significantly higher standard regarding private consumer information, increases consumer protection requirements, and establishes new reporting requirements if a breach of consumer data occurs.
“Data security is perhaps one of the most important topics for the insurance industry today,” said Theis, who chaired the House Insurance Committee. “In light of significant cybersecurity attacks throughout both the private and public sectors – insurance companies and agents must protect the highly sensitive consumer financial and health information collected as part of the underwriting and claims processes.”
In 2017, The National Association of Insurance Commissioners (NAIC) adopted a data security model law which suggested rules for insurers, agents and other licensed entities covering data security, investigation, and notification of breaches. Michigan is the first state in the nation to adopt an insurance data security act based upon the NAIC model.
Under House Bill 6491 insurance licensees will be required to build and maintain a data security system, develop a written incident response plan detailing how they will respond in the event of a breach, to annually assess its effectiveness, and certify to the Department of Insurance and Financial Services that they comply with the act. The law also incorporates several notices and disclosure provisions currently contained with the Michigan ID Theft Prevention Act.
Upon discovery of a breach, an insurance licensee is required to notify both the Department of Insurance and Financial Services and the consumer, utilizing the shortest consumer notification period for any industry in Michigan.
House Bill 6491 will set a precedent for a uniform data security law throughout the country as throughout the process several states were watching with keen interest to the changes Rep. Theis made to the NAIC model act while working with state regulators, trade associations, and interest groups with the intent of adopting the “Michigan Model.”
“By acting now, Michigan is setting the national model for what data security should look like,” Theis said. “This gives our state the ability to have more control over future policy discussions and ensure that we are enacting laws that work for our residents.”